28Haz
Does this Wireshark traffic dump show that there was a successful login?
After bruteforce (many POST requests to "wp-login.php" from host 10.0.1.85) there were a couple of requests to admin-ajax.php followed by a response from the server (10.0.1.88).
Further connection is conducted via SSH. Could this signal that the user guessed the admin password? Or is it not related at all?
Then, after ssh connection some values appear in POST request to wp-admin-support, with subsequent requests to the values change.