Loading ...

Play interactive tourEdit tour

Windows Analysis Report REQUIREMENT.exe

Overview

General Information

Sample Name:REQUIREMENT.exe
Analysis ID:1641
MD5:fb70ff484021669624233d0fbd77ec6a
SHA1:6820b13631967663ec2637c43c828468633051fd
SHA256:2b40757a6763aa725d86426ce3cd16fcf1380a9152837d4fbe5e5b085710054c
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • REQUIREMENT.exe (PID: 1776 cmdline: 'C:\Users\user\Desktop\REQUIREMENT.exe' MD5: FB70FF484021669624233D0FBD77EC6A)
    • REQUIREMENT.exe (PID: 1172 cmdline: 'C:\Users\user\Desktop\REQUIREMENT.exe' MD5: FB70FF484021669624233D0FBD77EC6A)
      • explorer.exe (PID: 680 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • autoconv.exe (PID: 5024 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 469594005E3B94C5945BCCE7FC521C05)
        • autochk.exe (PID: 5612 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 95127C028063423E1253BD0C8CD6C9CB)
        • systray.exe (PID: 2092 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
          • cmd.exe (PID: 2492 cmdline: /c del 'C:\Users\user\Desktop\REQUIREMENT.exe' MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • cmd.exe (PID: 7420 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • firefox.exe (PID: 3076 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
        • certmgr3ff.exe (PID: 1444 cmdline: C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe MD5: FB70FF484021669624233D0FBD77EC6A)
          • certmgr3ff.exe (PID: 2676 cmdline: C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe MD5: FB70FF484021669624233D0FBD77EC6A)
        • certmgr3ff.exe (PID: 7460 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)
          • certmgr3ff.exe (PID: 6616 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)
        • certmgr3ff.exe (PID: 7840 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)
          • certmgr3ff.exe (PID: 4776 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloa"}

Threatname: FormBook

{"C2 list": ["www.tpmionline.com/cogu/"], "decoy": ["bornhub.xyz", "hancofe.store", "bestofnapa.guide", "innerhell.space", "ryker.ink", "leschoixusa.com", "bqgfk.com", "yakyu-eiga.com", "martialkitchen.com", "thousandoaks-buickgmc.com", "researchlearningspirit.xyz", "byobuzz.com", "taichan.xyz", "ballznutcracker.com", "soymilk-design.com", "chalengestodo.com", "nu12.online", "hkautobox.com", "uprisehealthmonitoring.com", "027jia.net", "cacaolixir.com", "werasdfdfsadf.info", "sanchalanprokashon.com", "donlead.com", "dsnfryfufi.com", "laythproduction.com", "narcozland.com", "jachaljuega.com", "centralcontable.net", "agamottocoin.com", "congtyvhomes.com", "i8news-de.website", "estudio-me.com", "high-clicks.com", "boliden-ab.com", "nazfoodstuff.com", "sozialwirtschaft.team", "xn--4pvw92bcry.com", "6ohmf.info", "fishermandm.com", "marvellouslles.com", "suprabranding.net", "jkwhitleyphotography.com", "qylaser.net", "034455.com", "farbeo.com", "boggbeg.com", "domainair.biz", "gulfweeks.com", "alexanderorlandis.com", "earning-beauty.xyz", "shopsharpgraphics.com", "fdndigtavrcb.net", "ceruleden.com", "originial-motors.com", "ebbtidefloodtide.com", "ctlcloudfr.com", "bywl.top", "alo360.net", "cinargeridonusum.com", "xn--ahindelivery-3mc.com", "cryptoidolz.pro", "snowmanvila.com", "mobileiranian2.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.32667545706.00000000023B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x16aa9:$sqlite3step: 68 34 1C 7B E1
      • 0x16bbc:$sqlite3step: 68 34 1C 7B E1
      • 0x16ad8:$sqlite3text: 68 38 2A 90 C5
      • 0x16bfd:$sqlite3text: 68 38 2A 90 C5
      • 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
      00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000015.00000000.35242814301.0000000027517000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x11d14:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      Click to see the 33 entries

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000001.00000002.32667545706.00000000023B0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}
      Source: 00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.tpmionline.com/cogu/"], "decoy": ["bornhub.xyz", "hancofe.store", "bestofnapa.guide", "innerhell.space", "ryker.ink", "leschoixusa.com", "bqgfk.com", "yakyu-eiga.com", "martialkitchen.com", "thousandoaks-buickgmc.com", "researchlearningspirit.xyz", "byobuzz.com", "taichan.xyz", "ballznutcracker.com", "soymilk-design.com", "chalengestodo.com", "nu12.online", "hkautobox.com", "uprisehealthmonitoring.com", "027jia.net", "cacaolixir.com", "werasdfdfsadf.info", "sanchalanprokashon.com", "donlead.com", "dsnfryfufi.com", "laythproduction.com", "narcozland.com", "jachaljuega.com", "centralcontable.net", "agamottocoin.com", "congtyvhomes.com", "i8news-de.website", "estudio-me.com", "high-clicks.com", "boliden-ab.com", "nazfoodstuff.com", "sozialwirtschaft.team", "xn--4pvw92bcry.com", "6ohmf.info", "fishermandm.com", "marvellouslles.com", "suprabranding.net", "jkwhitleyphotography.com", "qylaser.net", "034455.com", "farbeo.com", "boggbeg.com", "domainair.biz", "gulfweeks.com", "alexanderorlandis.com", "earning-beauty.xyz", "shopsharpgraphics.com", "fdndigtavrcb.net", "ceruleden.com", "originial-motors.com", "ebbtidefloodtide.com", "ctlcloudfr.com", "bywl.top", "alo360.net", "cinargeridonusum.com", "xn--ahindelivery-3mc.com", "cryptoidolz.pro", "snowmanvila.com", "mobileiranian2.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: REQUIREMENT.exeReversingLabs: Detection: 48%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.32994766605.0000000011CAC000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.37532894515.0000000004590000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.33045645431.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.37532501994.0000000004560000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.32944159535.0000000011CAC000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.37528295705.00000000027D0000.00000040.00020000.sdmp, type: MEMORY
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Aidr0p8lx\certmgr3ff.exeReversingLabs: Detection: 48%
      Source: REQUIREMENT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49790 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49791 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49824 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49825 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.78:443 -> 192.168.11.20:49826 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49829 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49830 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49831 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49832 version: TLS 1.2
      Source: Binary string: systray.pdb source: REQUIREMENT.exe, 00000003.00000002.33047271882.0000000000997000.00000004.00000020.sdmp
      Source: Binary string: systray.pdbGCTL source: REQUIREMENT.exe, 00000003.00000002.33047271882.0000000000997000.00000004.00000020.sdmp
      Source: Binary string: wntdll.pdbUGP source: REQUIREMENT.exe, 00000003.00000002.33058899963.000000001EA8D000.00000040.00000001.sdmp, systray.exe, 0000000D.00000002.37536543338.0000000004A8D000.00000040.00000001.sdmp, certmgr3ff.exe, 0000001A.00000002.35658181746.000000001E950000.00000040.00000001.sdmp, certmgr3ff.exe, 0000001B.00000002.35788695940.000000001EA8D000.00000040.00000001.sdmp, certmgr3ff.exe, 0000001C.00000002.35829603529.000000001EA7D000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: certmgr3ff.exe
      Source: C:\Windows\SysWOW64\systray.exeCode function: 13_2_027DFA80 FindFirstFileW,FindNextFileW,FindClose,13_2_027DFA80
      Source: C:\Windows\SysWOW64\systray.exeCode function: 13_2_027DFA79 FindFirstFileW,FindNextFileW,FindClose,13_2_027DFA79
      Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi13_2_027E62B9
      Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi13_2_027E5674
      Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop ebx13_2_027D6AB8

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 51.77.52.109:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 51.77.52.109:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 51.77.52.109:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49795 -> 172.67.139.41:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49795 -> 172.67.139.41:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49795 -> 172.67.139.41:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49807 -> 15.197.150.5:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49807 -> 15.197.150.5:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49807 -> 15.197.150.5:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49808 -> 198.54.117.211:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49808 -> 198.54.117.211:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49808 -> 198.54.117.211:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 142.250.186.179:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 142.250.186.179:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 142.250.186.179:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49841 -> 172.67.139.41:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49841 -> 172.67.139.41:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49841 -> 172.67.139.41:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49858 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49858 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49858 -> 216.189.108.75:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49863 -> 137.117.17.70:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49863 -> 137.117.17.70:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49863 -> 137.117.17.70:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 192.0.78.25:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 192.0.78.25:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 192.0.78.25:80
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 47.88.32.85 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 199.101.245.90 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 185.73.226.109 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 156.67.72.176 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 192.64.116.180 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.139.41 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 103.164.172.49 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 156.239.224.4 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 142.250.186.179 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 51.77.52.109 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 204.141.43.204 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 15.197.150.5 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 3.121.211.190 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 151.101.192.119 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 154.215.231.81 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 137.117.17.70 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 198.59.144.16 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 66.96.130.148 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.210 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.211 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 199.34.228.191 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 216.189.108.75 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 154.195.206.5 80Jump to behavior
      Performs DNS queries to domains with low reputationShow sources
      Source: DNS query: www.taichan.xyz
      Source: DNS query: www.researchlearningspirit.xyz
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downloa
      Source: Malware configuration extractorURLs: www.tpmionline.com/cogu/
      Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=XfIccXNfLX5VXF4pbqJOgkj9hfbfozamY6uAUfQ6uaB911jdIVb8IPx0hpo8MPsnFfll&EVpdF=D6AlWhC HTTP/1.1Host: www.hkautobox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=A+BqLwYGva59ha/kPE6YS9y5Cw6+WAl2lefwiAx9zEuoRfqY6i5KVFoFLUK0YMYmgzYy&EVpdF=D6AlWhC HTTP/1.1Host: www.taichan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=xC5KNdI4GHSouGT38hjr4jsIQYnK9JeLhI8DzyfFb/cxQtVLaTUcvP9pEn5hYvrjmrvn&EVpdF=D6AlWhC HTTP/1.1Host: www.researchlearningspirit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=0YOc4eMaPzOzEkITDzffiHUHUfLmwWJQOjcrghoXxwbMleRPqH/xhR7l6RpoJjhKUSQ4&EVpdF=D6AlWhC HTTP/1.1Host: www.bestofnapa.guideConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=Esy+SZGnlGcFL3b4TdwIqkWYMoe5TN9PO2uJWgi8huQtR8iqs12O2F0FkbqpOK+vLGht&EVpdF=D6AlWhC HTTP/1.1Host: www.bqgfk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=7eaza+Vm8yYemsyz/zzwjWrklc8Yi5Ho5HX5TNM7allR4urhJrmRG4YV/48q0bSefO77&EVpdF=D6AlWhC HTTP/1.1Host: www.centralcontable.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=RrpHjQu0LYHaKA/4jQL7YSE8Zlpf0+V6RMywmZjWIXP7087B5zoOXLZv/c2UnXWK/cWX&EVpdF=D6AlWhC HTTP/1.1Host: www.mobileiranian2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=AKrVC46g6aUqOUl59QNJifV5z+OjBVKueGdcTrEcNhmNt+uKBfQ1nRhJazzsjvYBoCEF&EVpdF=D6AlWhC HTTP/1.1Host: www.soymilk-design.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=TP9OdDgalUD062Nc3ik6VEBCj7pU3sm2O2OGxDUNHqL9P8Ry/BX8xz+WUeumcOFdCH3f&EVpdF=D6AlWhC HTTP/1.1Host: www.cacaolixir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=Vt5Qt2OmygQqgSlUs1LnTjIm5PAf0+j+U7GfZi7PpDW7/xLcDx4cEzk7U78MhAa3f93Z&EVpdF=D6AlWhC HTTP/1.1Host: www.fishermandm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=Q5540RkvIutfUkv4jGh7NesFHfEn9TtJOrndmKD2I8/SlFrfn/DKKL7940R4DTj3bJkH&EVpdF=D6AlWhC HTTP/1.1Host: www.tpmionline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&EVpdF=D6AlWhC HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=0JW80yNTUiIblQnhj6MVn32XupSCHJgGKr7CbJ8acIuUK/cVpV73gH6OM/JKXthPyqu2 HTTP/1.1Host: www.jkwhitleyphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=S26i6wvHPThQg5EmN96E/uV1flc9kx0qaETcxJTPPIRiBsvCj8OwSBVU0bghLZ2zBTNI&-Z=5j3dv6rhizRPl0MP HTTP/1.1Host: www.boliden-ab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=nujE8SKobpMEhFJCVnGir4WeRJmwvtVIfZaGtibw0wWMPhuUS2YahDL2LgFihEH5PyEZ HTTP/1.1Host: www.jachaljuega.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=62eHCTnViIbE5q/Vnkbvlz9TsuOUnGzf3IBPc1eKYkVqg+lXJUtXLjRsX48ZiFT924q+&-Z=5j3dv6rhizRPl0MP HTTP/1.1Host: www.xn--4pvw92bcry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=xvNBpPJxoT3V4STjWu+oXBc4W2+zox4LkJxyAqr5flGYxwgg6ZSnpz45f2Sl431JRkcr HTTP/1.1Host: www.ceruleden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=7eaza+Vm8yYemsyz/zzwjWrklc8Yi5Ho5HX5TNM7allR4urhJrmRG4YV/48q0bSefO77&-Z=5j3dv6rhizRPl0MP HTTP/1.1Host: www.centralcontable.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=jcFOH/ZxkSx2B+eOzji128R7cFyPyE6Tynf2GelbWKAhzBX6sEIR/9TLWk4pwFmf1t+F HTTP/1.1Host: www.marvellouslles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=TP9OdDgalUD062Nc3ik6VEBCj7pU3sm2O2OGxDUNHqL9P8Ry/BX8xz+WUeumcOFdCH3f&EVpdF=D6AlWhC HTTP/1.1Host: www.cacaolixir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=Vt5Qt2OmygQqgSlUs1LnTjIm5PAf0+j+U7GfZi7PpDW7/xLcDx4cEzk7U78MhAa3f93Z&EVpdF=D6AlWhC HTTP/1.1Host: www.fishermandm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=kZBNmvv9/eiuWktgT/6kcZDtJw48mlhVfm1ri0sSAffAJ4dIxBHSptGOKbrWsOvy+Lqt&EVpdF=D6AlWhC HTTP/1.1Host: www.high-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=Q5540RkvIutfUkv4jGh7NesFHfEn9TtJOrndmKD2I8/SlFrfn/DKKL7940R4DTj3bJkH&EVpdF=D6AlWhC HTTP/1.1Host: www.tpmionline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&EVpdF=D6AlWhC HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=ryReQ6gKjI02p+tUx8m+7gLTns0HXWXot/Pd7vxfolZ67qcT6NKb85r0SsRZkPEm7LMW&GJE=6lTPJF HTTP/1.1Host: www.alo360.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=ryReQ6gKjI02p+tUx8m+7gLTns0HXWXot/Pd7vxfolZ67qcT6NKb85r0SsRZkPEm7LMW&GJE=6lTPJF HTTP/1.1Host: www.alo360.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=QRnHbABZr1ah6x+kOaYWzzpt/wEyN1uu/6itxi1XZlZPOwHQf3Tea8RViivUAbn0Nq3Q&GJE=6lTPJF HTTP/1.1Host: www.nu12.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=xC5KNdI4GHSouGT38hjr4jsIQYnK9JeLhI8DzyfFb/cxQtVLaTUcvP9pEn5hYvrjmrvn&GJE=6lTPJF HTTP/1.1Host: www.researchlearningspirit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=62eHCTnViIbE5q/Vnkbvlz9TsuOUnGzf3IBPc1eKYkVqg+lXJUtXLjRsX48ZiFT924q+&GJE=6lTPJF HTTP/1.1Host: www.xn--4pvw92bcry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=YWc9mILWetVQGhipA+G2uDb+SeX0Cd/MjDmv0ZQMTg5SMMvYjLI+xM6WaOuTEiNNd0Xk&GJE=6lTPJF HTTP/1.1Host: www.cinargeridonusum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=TP9OdDgalUD062Nc3ik6VEBCj7pU3sm2O2OGxDUNHqL9P8Ry/BX8xz+WUeumcOFdCH3f&EVpdF=D6AlWhC HTTP/1.1Host: www.cacaolixir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=Vt5Qt2OmygQqgSlUs1LnTjIm5PAf0+j+U7GfZi7PpDW7/xLcDx4cEzk7U78MhAa3f93Z&EVpdF=D6AlWhC HTTP/1.1Host: www.fishermandm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=kZBNmvv9/eiuWktgT/6kcZDtJw48mlhVfm1ri0sSAffAJ4dIxBHSptGOKbrWsOvy+Lqt&EVpdF=D6AlWhC HTTP/1.1Host: www.high-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=Q5540RkvIutfUkv4jGh7NesFHfEn9TtJOrndmKD2I8/SlFrfn/DKKL7940R4DTj3bJkH&EVpdF=D6AlWhC HTTP/1.1Host: www.tpmionline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&EVpdF=D6AlWhC HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=NFedTnOwyfQnQfz4Fa359HV39V5qjz9UUQouYpwkrhdO9l9uPa/7UwpxNrVjVYhaXz3f&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.uprisehealthmonitoring.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=L5GjM02Qi9/3ctzLfpX21kbqInICP/PmVfQkFp534KYMBhdy6kz6hr7HyPkdH1b6OtPy&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.estudio-me.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=CWSu9rBRqjtTkxrJy4pABq4mxihAfalcaoFBMiLqB2EmPhnp5uCs+6CRD45lGLAfaluR&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.i8news-de.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=6yxwGmrm3Ap/M+4TPZhn44EC1HJh+94HIixwD1LsvJrE4PEEHQNTPR5lSm/JOI/dScyn&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.alexanderorlandis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 93.184.220.29 93.184.220.29
      Source: Joe Sandbox ViewIP Address: 93.184.220.29 93.184.220.29
      Source: unknownNetwork traffic detected: DNS query count 39
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
      Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
      Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 708Date: Wed, 13 Oct 2021 13:48:15 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requ
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 13:48:21 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 13:48:32 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 13 Oct 2021 13:48:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 13:49:11 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9602-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 13:49:17 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Oct 2021 13:50:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 13 Oct 2021 13:50:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 13:50:44 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9602-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3